Tag security

XSS dangers: A classic reason to use image_tag instead of IMG tags in your rails view code.

This code seems fine in rails view code, right?

<img src="<%=@image%>" alt='<%=label%>'>

Wrong. What if someone drops this into your user generated content label?


Bad times ensue, because users can inject their own evil JS that actually BREAKS OUT of the tag and run cross-site scripts. Always use link_to and image_to when dealing with user generated text. It'll automatically strip out text that otherwise would break out of the tag string. Special thanks to @Stephen on twitter for being a great security guru.