Tag xss

XSS dangers: A classic reason to use image_tag instead of IMG tags in your rails view code.

This code seems fine in rails view code, right?

<img src="<%=@image%>" alt='<%=label%>'>

Wrong. What if someone drops this into your user generated content label?

"onmouseover=alert(document.cookie)

Bad times ensue, because users can inject their own evil JS that actually BREAKS OUT of the tag and run cross-site scripts. Always use link_to and image_to when dealing with user generated text. It'll automatically strip out text that otherwise would break out of the tag string. Special thanks to @Stephen on twitter for being a great security guru.