Our usage of Rails and markup rendering pipelines allows us to escape untrusted data by default during HTML rendering. However, there are always edge cases that could pop up. Read Rails’ security guide about XSS for more specific examples.
github.com domain. Additionally, we set the
X-XSS-Protection header to instruct the browsers to activate proactive XSS mitigation. To prevent an XSS exploit from compromising user sessions, access to sensitive cookies is disallowed by settings the
More about cross-site scripting vulnerabilities from OWASP’s Top 10:
XSS is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content. There are three known types of XSS flaws: 1) Stored, 2) Reflected, and 3) DOM based XSS.