Herb

Appearance

Linter Rule: Disallow ERB output in attribute names

Rule: erb-no-output-in-attribute-name

Description

ERB output tags (<%= %>) are not allowed in HTML attribute names. Use static attribute names with dynamic values instead.

Rationale

ERB output in attribute names (e.g., <div data-<%= key %>="value">) allows dynamic control over which attributes are rendered. When such a value is user-controlled, an attacker can inject arbitrary attributes including JavaScript event handlers, achieving cross-site scripting (XSS).

Examples

Good

erb
<div class="<%= css_class %>"></div>
erb
<input type="text" data-target="value">
Add an `autocomplete` attribute to improve form accessibility. Use a specific value (e.g., `autocomplete="email"`), `autocomplete="on"` for defaults, or `autocomplete="off"` to disable. (html-input-require-autocomplete)

Bad

erb
<div data-<%= key %>="value"></div>
Avoid ERB output in attribute names. Use static attribute names with dynamic values instead. (erb-no-output-in-attribute-name)
erb
<div data-<%= key1 %>="value1" data-<%= key2 %>="value2"></div>
Avoid ERB output in attribute names. Use static attribute names with dynamic values instead. (erb-no-output-in-attribute-name)
Avoid ERB output in attribute names. Use static attribute names with dynamic values instead. (erb-no-output-in-attribute-name)

References

Released under the MIT License.

Copyright © 2024-2025 Marco Roth and the Herb Contributors.