show.html.erb
code Critical
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: High

Problem

Unescaped model attribute

Location

app/views/static/show.html.erb:20

Topic.find_by_id(SiteSetting.send({ "faq" => ({ :redirect => "faq_url", :topic_id => "guidelines_topic_id" }), "tos" => ({ :redirect => "tos_url", :topic_id => "tos_topic_id" }), "privacy" => ({ :redirect => "privacy_policy_url", :topic_id => "privacy_topic_id" }) }[(params[:id] or "faq")][:topic_id])).posts.first.cooked

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/show.html.erb or mark it as false positive.

unsubscribed.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribed.html.erb:11

t("unsubscribed.topic_description", :link => render_topic_title(Topic.find_by(:id => params[:topic_id].to_i)))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribed.html.erb or mark it as false positive.

index.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/about/index.html.erb:109

crawlable_meta_data(:title => SiteSetting.title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/about/index.html.erb or mark it as false positive.

unsubscribe.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribe.html.erb:30

t("unsubscribe.mute_topic", :link => render_topic_title(((UnsubscribeKey.find_by(:key => params[:key]).post and UnsubscribeKey.find_by(:key => params[:key]).post.topic) or UnsubscribeKey.find_by(:key => params[:key]).topic)))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribe.html.erb or mark it as false positive.

index.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/categories/index.html.erb:17

crawlable_meta_data(:title => SiteSetting.title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/categories/index.html.erb or mark it as false positive.

unsubscribe.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribe.html.erb:40

t("unsubscribe.unwatch_category", :category => category_badge(((UnsubscribeKey.find_by(:key => params[:key]).post and UnsubscribeKey.find_by(:key => params[:key]).post.topic) or UnsubscribeKey.find_by(:key => params[:key]).topic).category))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribe.html.erb or mark it as false positive.

unsubscribe.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribe.html.erb:23

t("unsubscribe.stop_watching_topic", :link => render_topic_title(((UnsubscribeKey.find_by(:key => params[:key]).post and UnsubscribeKey.find_by(:key => params[:key]).post.topic) or UnsubscribeKey.find_by(:key => params[:key]).topic)))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribe.html.erb or mark it as false positive.

login.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/static/login.html.erb:2

PrettyText.cook(I18n.t("login_required.welcome_message", :title => SiteSetting.title))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/login.html.erb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/topics/show.html.erb:75

crawlable_meta_data(:title => TopicView.new(params[:topic_id]).title, :description => TopicView.new(params[:topic_id]).summary, :image => TopicView.new(params[:topic_id]).image_url, :read_time => TopicView.new(params[:topic_id]).read_time, :like_count => TopicView.new(params[:topic_id]).like_count)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/topics/show.html.erb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/static/show.html.erb:27

crawlable_meta_data(:title => Topic.find_by_id(SiteSetting.send({ "faq" => ({ :redirect => "faq_url", :topic_id => "guidelines_topic_id" }), "tos" => ({ :redirect => "tos_url", :topic_id => "tos_topic_id" }), "privacy" => ({ :redirect => "privacy_policy_url", :topic_id => "privacy_topic_id" }) }[(params[:id] or "faq")][:topic_id])).title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/show.html.erb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/static/show.html.erb:31

crawlable_meta_data(:title => SiteSetting.title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/show.html.erb or mark it as false positive.