<%= @asset.description %>
Make sure you that you consider it a potential for XSS code execution
and simply fix it like so:
<%= h(@asset.description) %>
Tainting or (http://code.google.com/p/xss-shield)
XSS Shield protects your views against cross-site scripting attacks without error-prone manual escaping with h().
Instead of:
<%= h(item.name) %>
<%= link_to "#{h(item.first_name)}'s stuff", :action => :view, :id => item %>
You will be able to write:
<%= item.name %>
<%= link_to "#{item.first_name}'s stuff", :action => :view, :id => item %>
and all your views will be automatically protected. Protection works by tagging strings you trust - which are only those escaped by h(), generated by trusted helpers (like link_to, text_area, will_paginate etc.), or explicitly marked as trusted by you. If untrusted string is to be displayed in a template it is h-escaped first.
XSS Shield supports RHTML and HAML.
To install the plugin run:
./script/plugin install -x http://xss-shield.googlecode.com/svn/trunk/xss-shield/
Referred from google and peepcode
