Discovered about 1 year ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unsafe model attribute in link_to href

Location

app/views/profiles/two_factor_auths/show.html.haml:112

link_to(_("Delete"), (@webauthn_registration or U2fRegistration.register(current_user, u2f_app_id, device_registration_params, session[:challenges]))[:delete_path], :method => :delete, :class => "gl-button btn btn-danger float-right", :data => ({ :confirm => _("Are you sure you want to delete this device? This action cannot be undone.") }))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/profiles/two_factor_auths/show.html.haml or mark it as false positive.