A class name in user input: Anything can happen.
A = in a name could make Excel run macros.
Injection with % in SQL LIKE is common and may lead to long queries.
Can CSS from the user do any harm?
CSP is a great way to reduce or completely remove the number 1 web app security vulnerability – Cross-Site Scripting (XSS).
CSRF explained and all related questions answered
Store secrets in the environment variables, secure and manage them
Injecting parameters or entire Unix commands
How does Rails’ XSS protection work exactly
Haml templates support Rails’ XSS protection