We are sunsetting Hakiri on January 31 2022. To learn more please refer to this document.

Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak


Unescaped model attribute



t("unsubscribe.unwatch_category", :category => category_badge(((UnsubscribeKey.find_by(:key => params[:key]).post and UnsubscribeKey.find_by(:key => params[:key]).post.topic) or UnsubscribeKey.find_by(:key => params[:key]).topic).category))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribe.html.erb or mark it as false positive.