Rule: erb-no-output-in-attribute-position
ERB output tags (<%= %> or <%== %>) are not allowed in attribute position. Use ERB control flow (<% %>) with static attribute names instead.
ERB output tags in attribute positions (e.g., <div <%= attributes %>>) allow arbitrary attribute injection at runtime. An attacker could inject event handler attributes like onmouseover or onfocus to execute JavaScript.
For example, a common pattern like:
<div <%= "hidden" if index != 0 %>>...</div>should be rewritten to use control flow with static attributes:
<div <% if index != 0 %> hidden <% end %>>...</div>This ensures attribute names are always statically defined and prevents arbitrary attribute injection.
<div class="<%= css_class %>"></div><input value="<%= user.name %>"><div <% if active? %> class="active" <% end %>></div><div <%= data_attributes %>></div><div <%== raw_attributes %>></div><div <%= first_attrs %> <%= second_attrs %>></div>