The first page is a html.erb while the second is a HAML variant. The source is here. The following is a snippet:
%p HAML: content_for marks input as html_safe but does not sanitize it.
- content_for(:page_title) { "</title><script>alert('Pawned')</script>;" }
- puts content_for(:page_title) #=> prints unsanitized text marked as html_safe.
%p= content_for(:page_title)
Debugging reveals that content_for when used in HAML does not sanitize given input.
This issue is seen in HAML v1 & v2, Rails 4-6.
Not sure whether this should be reported here or on Rails. This issue is only seen when using HAML with rails.
See the following pages:
https://content-for-rails.herokuapp.com/works https://content-for-rails.herokuapp.com/fails