<script> var str = "</script><script>alert('Pwned');</script>"; </script>
Don't believe me? Try it for yourself. The browser ignores the fact that the
This behavior would be little more than a curiosity, were it not for the common pattern of injecting JSON into documents, say with ERB.
<script> var users = <%= @users.to_json.html_safe %>; </script>
If you have the line above anywhere in your code, and
@users includes some user submitted data, your application is vulnerable to a XSS attack.
If you're using Rails, you can thwart this vulnerability by setting
true. The default is