image by Luc Bercoth XSS, which stands for Cross-Site Scripting, is a common vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts can be used to steal sensitive information, manipulate the page’s content, or perform other malicious actions on behalf of the attacker.One of the benefits of frameworks like Rails is that XSS protection is built-in and automatically applied to user-provided content. Rails uses a combination of context-aware output encoding and automatic escaping to mitigate XSS vulnerabilities.Rails automatically escapes HTML entities when rendering user input within HTML templates by default, and then uses a special class called ActiveSupport::SafeBuffer to handle string concatenation and the final rendering of the user-generated content. SafeBuffer is designed to prevent inadvertent double-escaping of the string or bypassing of encoding mechanisms.But you can, and folks do, go around it.…using:…Rails’s sanitization methods to ensure content is made safe before it gets to the view:This is primarily about defending your application against malicious user input. Using the ERB tags in a Rails view template is the same as writing , which completely avoids the protections offered by SafeBuffer.If you see 1 %>. This is safe to use because the output of pagy_nav is handled by the gem and there’s very little risk of XSS as a result.The are two other cases where using unescaped HTML is okay:One is for performance. There is a small overhead to managing the sanitization of each string. If you have a large amount or very long strings you may see a performance improvement by avoiding the escaping.The other is where managing the escaping of complicated strings is tricky, but that is precisely where you need to do the work to properly manage potentially treacherous input yourself, or let the framework take the strain.Last updated on July 17th, 2023 by @andycroll An email newsletter, with one Ruby/Rails technique delivered with a ‘why?’ and a ‘how?’ every two weeks. It’s deliberately brief, focussed & opinionated. He’s CTO at CoverageBook, Rubyist, Conference Organizer of Brighton Ruby, Author, Speaker, Bootstrapper & Twin Dad.An email explaining a Ruby/Rails technique every two weeks.The OG, one-day, in-person, single track conference for Rubyists.A podcast between a cupboard in Portland, USA, and a spare bedroom in Brighton, UK.A mentoring programme for the Ruby community.