show.html.erb
code Critical
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: High

Problem

Unescaped model attribute

Location

app/views/static/show.html.erb:27

Topic.find_by_id(SiteSetting.get(map[(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")][:topic_id])).posts.first.cooked

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/show.html.erb or mark it as false positive.

show.html.erb
code Severe
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unescaped model attribute

Location

app/views/published_pages/show.html.erb:25

PublishedPage.find_by(:slug => params[:slug]).topic.first_post.cooked

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/published_pages/show.html.erb or mark it as false positive.

embed.html.erb
code Severe
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unescaped model attribute

Location

app/views/layouts/embed.html.erb:2

EmbeddableHost.record_for_url(request.referer).class_name

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/layouts/embed.html.erb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/topics/show.html.erb:137

crawlable_meta_data(:title => TopicView.new(params[:topic_id]).title, :description => TopicView.new(params[:topic_id]).summary(:strip_images => true), :image => TopicView.new(params[:topic_id]).image_url, :read_time => TopicView.new(params[:topic_id]).read_time, :like_count => TopicView.new(params[:topic_id]).like_count, :ignore_canonical => true, :published_time => TopicView.new(params[:topic_id]).published_time)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/topics/show.html.erb or mark it as false positive.

confirm_admin.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/users/confirm_admin.html.erb:14

t("activation.admin_confirm.complete", :target_username => AdminConfirmation.find_by_code(params[:token]).target_user.username)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/users/confirm_admin.html.erb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/static/show.html.erb:38

crawlable_meta_data(:title => SiteSetting.title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/show.html.erb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/users/show.html.erb:7

fetch_user_from_params(:include_inactive => ((current_user.staff? or (current_user and SiteSetting.show_inactive_accounts)))).user_profile.bio_processed

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/users/show.html.erb or mark it as false positive.

list.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/list/list.erb:154

crawlable_meta_data(:title => SiteSetting.title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/list/list.erb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/users/show.html.erb:14

crawlable_meta_data(:title => fetch_user_from_params(:include_inactive => ((current_user.staff? or (current_user and SiteSetting.show_inactive_accounts)))).username, :description => fetch_user_from_params(:include_inactive => ((current_user.staff? or (current_user and SiteSetting.show_inactive_accounts)))).user_profile.bio_summary, :image => fetch_user_from_params(:include_inactive => ((current_user.staff? or (current_user and SiteSetting.show_inactive_accounts)))).small_avatar_url)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/users/show.html.erb or mark it as false positive.

index.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/about/index.html.erb:113

crawlable_meta_data(:title => SiteSetting.title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/about/index.html.erb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/static/show.html.erb:34

crawlable_meta_data(:title => (("#{(I18n.t("js.#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}") or Topic.find_by_id(SiteSetting.get(map[(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")][:topic_id])).title)} - #{SiteSetting.title}" or ("#{SiteSetting.title} - #{SiteSetting.short_site_description}" or SiteSetting.title))), :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/show.html.erb or mark it as false positive.

index.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/categories/index.html.erb:37

crawlable_meta_data(:title => SiteSetting.title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/categories/index.html.erb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/badges/show.html.erb:2

crawlable_meta_data(:title => I18n.t("badges.badge_title_metadata", :display_name => @badge.display_name, :site_title => SiteSetting.title), :description => @badge.long_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/badges/show.html.erb or mark it as false positive.

index.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/about/index.html.erb:109

crawlable_meta_data(:title => ("#{I18n.t("js.about.simple_title")} - #{SiteSetting.title}"), :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/about/index.html.erb or mark it as false positive.

login.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/static/login.html.erb:9

crawlable_meta_data(:title => (@title), :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/login.html.erb or mark it as false positive.

unsubscribe.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribe.html.erb:30

t("unsubscribe.mute_topic", :link => render_topic_title((UnsubscribeKey.find_by(:key => params[:key]).post.topic or UnsubscribeKey.find_by(:key => params[:key]).topic)))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribe.html.erb or mark it as false positive.

login.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/static/login.html.erb:3

PrettyText.cook(I18n.t("login_required.#{if SiteSetting.invite_only? then
  "welcome_message_invite_only"
else
  "welcome_message"
end}", :title => SiteSetting.title))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/login.html.erb or mark it as false positive.

unsubscribed.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribed.html.erb:10

t("unsubscribed.topic_description", :link => render_topic_title(Topic.find_by(:id => params[:topic_id].to_i)))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribed.html.erb or mark it as false positive.

unsubscribe.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribe.html.erb:23

t("unsubscribe.stop_watching_topic", :link => render_topic_title((UnsubscribeKey.find_by(:key => params[:key]).post.topic or UnsubscribeKey.find_by(:key => params[:key]).topic)))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribe.html.erb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/topics/show.html.erb:58

t("js.action_codes.#{post.action_code}", :when => "", :who => (((TopicView.new(params[:topic_id]).post_custom_fields[post.id] or {})["action_code_who"] or "")))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/topics/show.html.erb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/users/show.html.erb:12

crawlable_meta_data(:title => fetch_user_from_params(:include_inactive => ((current_user.staff? or (current_user and SiteSetting.show_inactive_accounts)))).username, :image => fetch_user_from_params(:include_inactive => ((current_user.staff? or (current_user and SiteSetting.show_inactive_accounts)))).small_avatar_url)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/users/show.html.erb or mark it as false positive.

unsubscribed.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/email/unsubscribed.html.erb:6

t("unsubscribed.description", :email => Discourse.cache.read(params[:key]), :url => path("/my/preferences"))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribed.html.erb or mark it as false positive.

list.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/list/list.erb:150

crawlable_meta_data(:title => ("#{@category.name} - #{SiteSetting.title}"), :description => (@description_meta))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/list/list.erb or mark it as false positive.

unsubscribe.html.erb
code Moderate
Cross-Site Scripting
Discovered 3 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribe.html.erb:40

t("unsubscribe.unwatch_category", :category => category_badge((UnsubscribeKey.find_by(:key => params[:key]).post.topic or UnsubscribeKey.find_by(:key => params[:key]).topic).category))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribe.html.erb or mark it as false positive.