---
title: Use Safe Output Encoding
impact: HIGH
impactDescription: prevents Cross-Site Scripting (XSS) attacks
tags: security, xss, encoding, rails-erb
---

## Use Safe Output Encoding

Rails ERB automatically escapes output by default. Avoid using `.html_safe` or `raw` on user-supplied data as it bypasses this protection.

**Incorrect (bypassing auto-escaping):**

```erb
<%# XSS vulnerability if params[:name] contains <script> %>
<%= raw "Hello, #{params[:name]}" %>
<%= "Your bio: #{user.bio}".html_safe %>
```

**Correct (relying on auto-escaping):**

```erb
<%# Safe by default %>
<%= "Hello, #{params[:name]}" %>

<%# If you must use HTML, sanitize it %>
<%= sanitize(user.bio) %>
```

**Tools:** Brakeman, Rails default
---