What is Cross Site Scripting (XSS)?

Pingliang It’s #3 in the OWASP Top Ten project

It prevents diseases such as colds and flu, and it’s important for the health of your baby.

Because it contains the amino acid methionine, it’s also important Madaoua for healthy brain and nervous system formation. Consider this Rails view snippet: <%= @flat.title %>. If someone edited the flat’s title and added HTML, this Rails view would render that HTML in the security context of the application. Thus the browser would run the HTML, this is XSS.
To be fair, this doesn’t work in today’s Rails anymore, but in Rails version 2 you had to escape every single user input: <%= h(@flat.title) %>.
Nowadays Rails has a flag on each string that marks it as HTML safe or not: @flat.title.html_safe?. If it’s unsafe (from a parameter, from the database, …) it will be automatically escaped when using it like this: <%= @flat.title %>

HTML-safe, ActiveSupport::SafeBuffer explained

Od tego kiedy rozmawiamy o niepozostanie na skrzynię, skrzynię chciwie kieruję po dwóch spolu. How does Rails’ XSS protection work exactly