Herb

Appearance

Linter Rule: Disallow ERB output in attribute position

Rule: erb-no-output-in-attribute-position

Description

ERB output tags (<%= %> or <%== %>) are not allowed in attribute position. Use ERB control flow (<% %>) with static attribute names instead.

Rationale

ERB output tags in attribute positions (e.g., <div <%= attributes %>>) allow arbitrary attribute injection at runtime. An attacker could inject event handler attributes like onmouseover or onfocus to execute JavaScript.

For example, a common pattern like:

erb
<div <%= "hidden" if index != 0 %>>...</div>
Avoid `<%= %>` in attribute position. Use `<% if ... %>` with static attributes instead. (erb-no-output-in-attribute-position)

should be rewritten to use control flow with static attributes:

erb
<div <% if index != 0 %> hidden <% end %>>...</div>

This ensures attribute names are always statically defined and prevents arbitrary attribute injection.

Examples

Good

erb
<div class="<%= css_class %>"></div>
erb
<input value="<%= user.name %>">
erb
<div <% if active? %> class="active" <% end %>></div>

Bad

erb
<div <%= data_attributes %>></div>
Avoid `<%= %>` in attribute position. Use `<% if ... %>` with static attributes instead. (erb-no-output-in-attribute-position)
erb
<div <%== raw_attributes %>></div>
Avoid `<%= %>` in attribute position. Use `<% if ... %>` with static attributes instead. (erb-no-output-in-attribute-position)
erb
<div <%= first_attrs %> <%= second_attrs %>></div>
Avoid `<%= %>` in attribute position. Use `<% if ... %>` with static attributes instead. (erb-no-output-in-attribute-position)
Avoid `<%= %>` in attribute position. Use `<% if ... %>` with static attributes instead. (erb-no-output-in-attribute-position)

References

Released under the MIT License.

Copyright © 2024-2025 Marco Roth and the Herb Contributors.