mcp-server-semgrep/semgrep-rules/ruby/rails/security/audit/xss/avoid-render-text.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: avoid-render-text
  metadata:
    source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render_inline.rb
    owasp:
    - A07:2017 - Cross-Site Scripting (XSS)
    - A03:2021 - Injection
    cwe:
    - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
    references:
    - https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss
    category: security
    technology:
    - rails
    cwe2022-top25: true
    cwe2021-top25: true
    subcategory:
    - audit
    likelihood: LOW
    impact: MEDIUM
    confidence: LOW
  message: >-
    'render text: ...' actually sets the content-type to 'text/html'.
    If external data can reach here, this exposes your application
    to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to
    render non-HTML text.
  languages: [ruby]
  severity: WARNING
  pattern: 'render text: ...'
  fix-regex:
    regex: 'text:'
    replacement: 'plain:'