---
title: Secure Dynamic JavaScript Encoding
impact: HIGH
impactDescription: prevents XSS in dynamic scripts and event handlers
tags: security, xss, javascript, jquery
---

## Secure Dynamic JavaScript Encoding

When generating JavaScript dynamically or inserting data into JS via ERB, ensure it is safely encoded to prevent script injection.

**Incorrect (Direct insertion):**

```erb
<script>
  const config = { userId: <%= params[:user_id] %> };
</script>
```

**Correct (JSON encoding):**

```erb
<script>
  // to_json safely encodes values for JS
  const config = { 
    userId: <%= params[:user_id].to_json.html_safe %>,
    theme: <%= @theme.to_json.html_safe %>
  };
</script>
```

**Tools:** Brakeman, Rails default
---