This code seems fine in rails view code, right?
<img src="<%=@image%>" alt='<%=label%>'>
Wrong. What if someone drops this into your user generated content label?
"onmouseover=alert(document.cookie)
Bad times ensue, because users can inject their own evil JS that actually BREAKS OUT of the tag and run cross-site scripts. Always use link_to and image_to when dealing with user generated text. It'll automatically strip out text that otherwise would break out of the tag string. Special thanks to @Stephen on twitter for being a great security guru.