Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Property
Language	generic
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description#

Using <%== ... %> in Rails templates outputs content as raw HTML, bypassing automatic escaping. This can expose your application to cross-site scripting (XSS) if untrusted user input is rendered.

Impact#

If exploited, attackers could inject malicious scripts into web pages, leading to data theft, session hijacking, or defacement. This compromises user trust and could expose sensitive information or allow further attacks on your application.