I did this mistake and I believe it’s a common scenario to consider: you have a Rails app, you need to quickly expose your resources as JSON APIs. You to the easy “#to_json” render so your Javascript SPA can do a quick Ajax fetch and, boom, your app is open to Cross Site Scripting (XSS) vulnerability. Learn about it and how to protect yourself right now