Discovered about 1 year ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unsafe model attribute in link_to href

Location

app/views/sent_notifications/unsubscribe.html.haml:13

link_to(("#{SentNotification.for(params[:id]).noteable.title} (#{SentNotification.for(params[:id]).noteable.to_reference})" or "#{SentNotification.for(params[:id]).noteable.to_reference}"), (url_for([SentNotification.for(params[:id]).project, SentNotification.for(params[:id]).noteable]) or breadcrumb_title_link))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/sent_notifications/unsubscribe.html.haml or mark it as false positive.