class Brakeman::CheckCrossSiteScripting

def check_for_immediate_xss exp
  return :duplicate if duplicate? exp
  if exp.node_type == :output
    out = exp.value
  end
  if raw_call? exp
    out = exp.value.first_arg
  elsif html_safe_call? exp
    out = exp.value.target
  end
  return if call? out and ignore_call? out.target, out.method
  if input = has_immediate_user_input?(out)
    add_result exp
    message = msg("Unescaped ", msg_input(input))
    warn :template => @current_template,
      :warning_type => "Cross-Site Scripting",
      :warning_code => :cross_site_scripting,
      :message => message,
      :code => input.match,
      :confidence => :high,
      :cwe_id => [79]
  elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
    method = if call? match
               match.method
             else
               nil
             end
    unless IGNORE_MODEL_METHODS.include? method
      add_result exp
      if likely_model_attribute? match
        confidence = :high
      else
        confidence = :medium
      end
      message = "Unescaped model attribute"
      link_path = "cross_site_scripting"
      warning_code = :cross_site_scripting
      if node_type?(out, :call, :safe_call, :attrasgn, :safe_attrasgn) && out.method == :to_json
        message += " in JSON hash"
        link_path += "_to_json"
        warning_code = :xss_to_json
      end
      warn :template => @current_template,
        :warning_type => "Cross-Site Scripting",
        :warning_code => warning_code,
        :message => message,
        :code => match,
        :confidence => confidence,
        :link_path => link_path,
        :cwe_id => [79]
    end
  else
    false
  end
end