Security Engineer and ethical hacker with 11+ years building secure software and hardening production systems. Expert in application security, secure authentication, cloud...
<h1><%= @post.title %></h1>
<p><%= @post.author_name %></p>
<%# Only sanitized rich text should be rendered as HTML %>
<div class="prose"><%= sanitize(@post.body_html, tags: %w[p a ul ol li strong em code], attributes: %w[href]) %></div>
# Vulnerable: user input is concatenated directly into SQL.
email = params[:email]
password = params[:password]
sql = "SELECT * FROM users WHERE email = '#{email}' AND password_hash = '#{password}'"
user = ActiveRecord::Base.connection.execute(sql).first