XSS #1: There’s a huge cross-site scripting hole if you use the meta refresh tag…it has a “data” attribute into which you can insert arbitrary javascript.

XSS #2: Cross-site scripting resources, from an internal mailing list:

• “I’ve gained a new appreciation for the importance of carefully thinking through security and escaping in RoR there’s more than just h()’ing all your user entered data.”

• XSS vulnerabilities – http://ha.ckers.org/xss.html.
  Very useful catalog of different XSS vectors. Includes some utilities to base64-, URL- and hex- encode attacks so you can test out your apps.

• General OWASP wiki – http://www.owasp.org/index.php/Main_Page. Lots of useful data information here. OWASP is a nonprofit group charted to improve the security of webapps in general.

• Security Guide for RoR -
  http://www.lulu.com/product/download/owasp-ruby-on-rails-security-guide/4489819 general guidelines/things to think about for securing RoR apps.

• Loofah – http://github.com/flavorjones/loofah is supported by a fellow Pivot and provides fast and good sanitization built on Nokogiri, albeit slightly slower on short strings than brittle regular expressions. It’s in production at several companies.

  “Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib’s whitelist, so it most likely won’t make your codes less secure.”

Happy New Year