Avoiding injection
Injection vulnerabilities occur when an attacker can inject code into your application. There are three common types of injection vulnerabilities in Ruby web applications: script injection, SQL injection, and code injection (remote code execution). We'll look at these in more detail in the following subsections.
Script injection
Script injection, otherwise known as cross-site scripting or XSS for short, is a vulnerability where an attacker can cause their code to be used in your web pages. It's not nearly as bad as SQL injection and code injection, but it can still cause significant problems. For example, let's say you are using Sinatra or Roda for your application, and you have the following code in one of your views:
# In your ERB code: # <p>Added by: <%= params['name'] %></p>
Here, an attacker can redirect someone they know who uses your site with a path such as /path/to/action?name=%3Cscript%3EDo+bad+things...
