Example: If we store <script>alert(299792458)</script> as a first name input, the value is getting accepted and stored.
When we display the data, an alert pops up. I understand that it's a Cross-Site Scripting (XSS). I have gone through http://guides.rubyonrails.org/security.html#cross-site-scripting-xss but I wan't able to understand.
All I need to do is make sure that alert doesn't happen. So, what's a best option. Sanitize first name while saving it (or) use html_safe when displaying it.
I used this function and it worked as expected.
On display page, it showed
<script>alert("123");</script>but the script didn't run because it escaped the tags.