Cross site scripting (or XSS) is #2 on the 2010 OWASP Top Ten web security risks and it pops up nearly everywhere. XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

content_tag is a view helper which generates an HTML tag with some content:

>> content_tag :p, "Hi!"
=> "<p>Hi!</p>"

In Rails 2, this content is unescaped (although attribute values are escaped):

>> content_tag :p, "<script>alert(1)</script>"
=> "<p><script>alert(1)</script></p>"

In Rails 3, the content is escaped. However, only the content and the tag attribute values are escaped. The tag and attribute names are never escaped in Rails 2 or 3.

This is more dangerous than a typical method call because content_tag marks its output as “HTML safe”, meaning the rails_xss plugin and Rails 3 auto-escaping will not escape its output. Due to this, content_tag should be used carefully if user input is provided as an argument.

Note that while content_tag does have an escape parameter, this only applies to tag attribute values and is true by default.

Back to Warning Types