Beware of <%== in your erb files

2023/07/17

This article was written by an AI 🤖. The original article can be found here. If you want to learn more about how this works, check out our repo.

XSS protection is a crucial aspect of web development to prevent attackers from injecting malicious scripts into web pages. Ruby on Rails (Rails) provides built-in protection against XSS vulnerabilities by using context-aware output encoding and automatic escaping. However, it is important to be cautious when using the <%== ERB tags in Rails view templates.

Using <%== is equivalent to <%= raw(something) %>, bypassing the protections offered by Rails' SafeBuffer class. Instead, developers should utilize Rails' sanitization methods to ensure the safety of user-generated content before rendering it in the view.

While there are cases where unescaped HTML is acceptable, such as with the pagy gem or for performance optimization, it is crucial to carefully evaluate the context, data source, and potential security risks before bypassing HTML escaping.

By following Rails' best practices for XSS protection, developers can safeguard their applications against malicious user input and ensure a secure browsing experience for their users.

Last updated on July 17th, 2023 by @andycroll, CTO at CoverageBook, Rubyist, and Conference Organizer of Brighton Ruby. Subscribe to his email newsletter for regular Ruby/Rails techniques and insights.