Gemini

[apmiller108]

No description provided.

In general, to fix this, any user-controlled value interpolated into HTML must be escaped or strongly validated/whitelisted before being marked html_safe. You should avoid calling html_safe on strings that contain raw user input, or ensure the user input is sanitized (e.g., ERB::Util.html_escape) or restricted to a known safe set of values.

The minimal fix here without changing existing behavior is: ensure @vendor is converted into a safe, normalized value before being interpolated, and avoid passing raw params[:vendor] through. We already have a current_vendor method that derives a vendor symbol from params[:vendor] or other internal sources, so we can reuse that. In the available action, instead of setting @vendor = params[:vendor], set @vendor = current_vendor. When interpolated in the label "Conversation Context … #{@vendor.to_s.titleize}", this will now be built from the whitelisted symbol returned by current_vendor, not arbitrary user input. We can keep the html_safe call because only the known vendor name will be inserted between tags, and Rails will escape the symbol’s string representation when it was originally constructed or ensure it is not tainted with arbitrary HTML; alternatively, if you want to be stricter, you could wrap @vendor.to_s.titleize with ERB::Util.html_escape, but that requires adding an import. The most straightforward fix within the shown code is to change line 70 to use current_vendor.

Concretely:

• Edit app/controllers/conversation_contexts_conversations_controller.rb.
• In the available action, replace @vendor = params[:vendor] with @vendor = current_vendor.
• No additional methods or imports are needed because current_vendor is already defined in this controller.