Avoid unescaped HTML built from request or tainted data | Critiq Docs

#Metadata

Rule ID: ruby.security.rails-unsafe-html-output
Severity: high
Confidence: 0.86
Languages: ruby
Presets: security, strict
Stability: stable
Applies to: block
Tags: rails, ruby, rules-catalog, security, xss

#Why it matters

`raw`, `html_safe`, `sanitize: false`, and ERB double-equals disable escaping and commonly become reflected XSS sinks.

#Remediation

Prefer default escaping, pass sanitized fragments, or centralize HTML generation through a vetted sanitizer instead of `raw`/`html_safe`.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/ruby/ruby.security.rails-unsafe-html-output.rule.yaml.

Back to directory Open rule in repository