content_tag is a view helper which generates an HTML tag with some content:
>> content_tag :p, "Hi!" => "<p>Hi!</p>"
In Rails 2, this content is unescaped (although attribute values are escaped):
>> content_tag :p, "<script>alert(1)</script>" => "<p><script>alert(1)</script></p>"
In Rails 3, the content is escaped. However, only the content and the tag attribute values are escaped. The tag and attribute names are never escaped in Rails 2 or 3.
This is more dangerous than a typical method call because
content_tag marks its output as “HTML safe”, meaning the
rails_xss plugin and Rails 3 auto-escaping will not escape its output. Due to this,
content_tag should be used carefully if user input is provided as an argument.
Note that while
content_tag does have an
escape parameter, this only applies to tag attribute values and is true by default.
Back to Warning Types