ruby - Why do I get a cross-site scripting warning with Rails? -

ruby - Why do I get a cross-site scripting warning with Rails? -

in rails application's view template have assign instance value coffeescript variable. did this:

:coffeescript  44   @selected_tab = "#{@tab}"

it works fine, getting cross-site scripting warning:

unescaped parameter value (around line 44) find_and_preserve(haml::filters::coffee.render_with_options("@selected_tab = "#{params[:tab]}" ", _hamlout.options))

i think you'd better off not inserting variables directly coffeescript.

check out these methods: http://railscasts.com/episodes/324-passing-data-to-javascript

Comments