Rails 5 erb doesn't escape html

Question

In a rails 5.2.3 erb template:

<% input = "<script>alert('XSS')</script>" %>
<p><%= input %></p>

is showing <script>alert('XSS')</script> instead of &gt.. etc

Isn't <%= ... %> supposed to prevent against reflected xss attack? Same issue if input is retrieved from params[:input]

The raw is output in the html:

Where is it showing that? In the page as viewed by the user, of course it shows like that. In the source it is encoded to `<` though, so it's not executed. — Gabor Lengyel, Dec 12 '19 at 14:43
I added an image showing it's not escaped in the source html — rigyt, Dec 12 '19 at 14:52
Try ctrl-u :) My guess is that inspector is formatting it for you, but it is not colored as a tag, so it's just a text node in the DOM. — Gabor Lengyel, Dec 12 '19 at 14:56

score 0 · Answer 1 · answered Dec 12 '19 at 15:12

0

Need to look in source ctrl+u as Gabor suggested

answered Dec 12 '19 at 15:12

rigyt

1 Answers1