Rule: erb-no-raw-output-in-attribute-value
ERB interpolation with <%== inside HTML attribute values is never safe. The <%== syntax bypasses HTML escaping entirely, allowing arbitrary attribute injection and XSS attacks. Use <%= instead to ensure proper escaping.
The <%== syntax outputs content without any HTML escaping. In an attribute value context, this means an attacker can inject a quote character to terminate the attribute, then inject arbitrary attributes including JavaScript event handlers. Even when combined with .to_json, using <%== in attributes is unsafe because it bypasses the template engine's built-in escaping that prevents attribute breakout.
<div class="<%= user_input %>"></div><div class="<%== user_input %>"></div><a href="<%== unsafe %>">Link</a><a onclick="method(<%== unsafe.to_json %>)"></a>