Avoid rendering raw HTML or bodies from request input | Critiq Docs

#Metadata

Rule ID: ruby.security.rails-unsafe-render
Severity: high
Confidence: 0.83
Languages: ruby
Presets: security, strict
Stability: stable
Applies to: block
Tags: rails, ruby, rules-catalog, security, xss

#Why it matters

These render modes bypass templates and can reflect attacker-controlled markup or scripts when fed tainted strings.

#Remediation

Prefer templates with escaping, sanitize any rich text, or map request identifiers to trusted server-side content instead of rendering raw params.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/ruby/ruby.security.rails-unsafe-render.rule.yaml.

Back to directory Open rule in repository