In response to the Rails-related CVEs released this week, Brakeman Pro Desktop 1.7.3 and Brakeman Pro Engine 4.2.1 are now available!
Please note there have been a number of vulnerabilities in the Rails HTML sanitization methods over the years. Parsing HTML and carefully keeping only “safe” values is very difficult to do correctly all the time for all inputs.
Only use sanitization when an application must accept and render HTML from an untrusted source. Otherwise, escape outputs.
- Warn about CVE-2018-3741
- Warn about CVE-2018-8048
- Scan the
- Avoid warning about dynamic renders when
Want to know more about Brakeman Pro?
Brakeman Pro is a static analysis security tool for Ruby on Rails applications.
If you have not purchased Brakeman Pro yet, you can review pricing and purchase licenses directly from our site.
Need to try before buying? Take Brakeman Pro Desktop for a spin.
Please feel free to contact us with any questions!