Consider this Rails view snippet: <%= @flat.title %>. If someone edited the flat’s title and added HTML, this Rails view would render that HTML in the security context of the application. Thus the browser would run the HTML, this is XSS.
To be fair, this doesn’t work in today’s Rails anymore, but in Rails version 2 you had to escape every single user input: <%= h(@flat.title) %>.
Nowadays Rails has a flag on each string that marks it as HTML safe or not: @flat.title.html_safe?. If it’s unsafe (from a parameter, from the database, …) it will be automatically escaped when using it like this: <%= @flat.title %>
How does Rails’ XSS protection work exactly