class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
before_action :authenticate_user!
end
// 1. DANGEROUS: Never use innerHTML with user input
const userInput = '<img src=x onerror="alert('XSS')">';
// WRONG - vulnerable to XSS
document.getElementById('output').innerHTML = userInput;