{"blog_url":"https://akinobu.net/","author_url":"https://blog.hatena.ne.jp/kuronekopunk/","width":"100%","version":"1.0","html":"<iframe src=\"https://hatenablog-parts.com/embed?url=https%3A%2F%2Fakinobu.net%2Fentry%2F2017%2F05%2F25%2F112310\" title=\" Tagging a string as html safe may be a security risk - \u30ce\u30f3\u30ab\u30d5\u30a7\u30a4\u30f3\u3067\u3042\u306a\u305f\u306b\u3084\u3055\u3057\u3044\" class=\"embed-card embed-blogcard\" scrolling=\"no\" frameborder=\"0\" style=\"display: block; width: 100%; height: 190px; max-width: 500px; margin: 10px 0px;\"></iframe>","categories":["RuboCop","Ruby on Rails"],"published":"2017-05-25 11:23:10","image_url":null,"type":"rich","height":"190","author_name":"kuronekopunk","title":" Tagging a string as html safe may be a security risk","blog_title":"\u30ce\u30f3\u30ab\u30d5\u30a7\u30a4\u30f3\u3067\u3042\u306a\u305f\u306b\u3084\u3055\u3057\u3044","provider_url":"https://hatena.blog","url":"https://akinobu.net/entry/2017/05/25/112310","provider_name":"Hatena Blog","description":"RuboCop(0.48.1) \u3067 Tagging a string as html safe may be a security risk \u3068\u6012\u3089\u308c\u305f html\u30bf\u30b0\u3092\u76f4\u66f8\u304d\u305b\u305a\u306bcontent_tag\u3092\u4f7f\u3048\u3068\u3044\u3046\u3053\u3068\u3089\u3057\u3044\u2193 # bad \"<p>#{text}</p>\".html_safe # good content_tag(:p, text) # bad out = \"\" out << content_tag(:li, \"one\") out << content_tag(:li, \"two\") out.html_safe # good out = [] out << content_ta\u2026"}