Inline ERB template rendered from request input
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
render inline: compiles its argument as an ERB template and runs it. Passing params into it lets a client submit arbitrary ERB, including embedded Ruby, which executes on the server: full remote code execution.
Why it matters
render inline: compiles its string argument as an ERB template, embedded Ruby tags included, and executes it immediately. Passing params into it means a client-submitted string is compiled and run as server-side template code, which is full remote code execution, not merely markup injection.
How to fix it
Stop using render inline: with any request-derived string. Render a named template or partial from the app's view directory instead, passing the request value in as a plain local variable that ERB will escape normally, never as the template source itself.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo