Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sobelow does not analyse sigil_H #160

Open
marcandre opened this issue Apr 3, 2024 · 1 comment
Open

sobelow does not analyse sigil_H #160

marcandre opened this issue Apr 3, 2024 · 1 comment

Comments

@marcandre
Copy link

While sobelow analyses .heex templates, it seems it ignores completely HEEX templates using ~H"...".

For some tests, in particular XSS, this is a critical issue.

@houllette
Copy link
Contributor

Interesting! Thanks for the find - I'll need to dig a bit deeper into this feature add, because existing .heex support like you linked is all based around reading entire template files and not strings within .ex files. Therefore it wouldn't be simply a matter of adjusting the existing rule, but more than likely creating a brand new rule or revamping the existing one to also consider .ex files with ~H"...".

To be honest, I'm also not sure Sobelow currently identifies / pulls out sigils in any sort of way - so I would need to look into that before confirming how difficult an adjustment this is. But this is still a great callout to improve detections!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants