XSS Prevention in Ruby on Rails: A Real-World Cleanup
I’ve cleaned up XSS issues in enough Rails apps to know the pattern: the team assumes Rails auto-escaping has them covered, then one helper, one html_safe, or one “temporary” rich text feature quietly blows a hole in the whole thing. Rails does a lot right by default. That’s true. But most real XSS bugs in Rails don’t come from ERB tags alone. They come from the seams: helpers, JavaScript interpolation, admin tooling, markdown rendering, ActionText assumptions, and legacy code that predates current defaults. ...