This post outlines three common web security vulnerabilities with specific examples in Rails. For a more complete list, I highly recommend the OWASP Rails security cheatsheet.
A cross-site scripting attack is when malicious scripts are injected into a web site in order to compromise it.
For example, let's say we want to allow html tags such as <strong> in our blog comments, so we render raw output using the Rails method #html_safe: