Skip to content

erb-no-output-in-attribute-name.md

Latest commit

 

History

History
38 lines (24 loc) · 988 Bytes

erb-no-output-in-attribute-name.md

File metadata and controls

38 lines (24 loc) · 988 Bytes

Linter Rule: Disallow ERB output in attribute names

Rule: erb-no-output-in-attribute-name

Description

ERB output tags (<%= %>) are not allowed in HTML attribute names. Use static attribute names with dynamic values instead.

Rationale

ERB output in attribute names (e.g., <div data-<%= key %>="value">) allows dynamic control over which attributes are rendered. When such a value is user-controlled, an attacker can inject arbitrary attributes including JavaScript event handlers, achieving cross-site scripting (XSS).

Examples

Good

<div class="<%= css_class %>"></div>
<input type="text" data-target="value">

Bad

<div data-<%= key %>="value"></div>
<div data-<%= key1 %>="value1" data-<%= key2 %>="value2"></div>

References