class Brakeman::CheckCrossSiteScripting

def setup
  @ignore_methods = Set[:==, :!=, :button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
                         :field_field, :fields_for, :form_for, :h, :hidden_field,
                         :hidden_field, :hidden_field_tag, :image_tag, :label,
                         :link_to, :mail_to, :radio_button, :select,
                         :submit_tag, :text_area, :text_field,
                         :text_field_tag, :url_encode, :u, :url_for,
                         :will_paginate].merge tracker.options[:safe_methods]
  @models = tracker.models.keys
  @inspect_arguments = tracker.options[:check_arguments]
  @known_dangerous = Set[:truncate, :concat]
  if version_between? "2.0.0", "3.0.5"
    @known_dangerous << :auto_link
  elsif version_between? "3.0.6", "3.0.99"
    @ignore_methods << :auto_link
  end
  if version_between? "2.0.0", "2.3.14" or tracker.config.gem_version(:'rails-html-sanitizer') == '1.0.2'
    @known_dangerous << :strip_tags
  end
  if tracker.config.has_gem? :'rails-html-sanitizer' and
     version_between? "1.0.0", "1.0.2", tracker.config.gem_version(:'rails-html-sanitizer')
    @known_dangerous << :sanitize
  end
  json_escape_on = false
  initializers = tracker.find_call(target: :ActiveSupport, method: :escape_html_entities_in_json=)
  initializers.each {|result| json_escape_on = true?(result[:call].first_arg) }
  if tracker.config.escape_html_entities_in_json?
    json_escape_on = true
  elsif version_between? "4.0.0", "9.9.9"
    json_escape_on = true
  end
  if !json_escape_on or version_between? "0.0.0", "2.0.99"
    @known_dangerous << :to_json
    Brakeman.debug("Automatic to_json escaping not enabled, consider to_json dangerous")
  else
    @safe_input_attributes << :to_json
    Brakeman.debug("Automatic to_json escaping is enabled.")
  end
end