railsversion specified in Gemfile does not encode JSON keys RB-A1010
Hash containing user-controlled data is encode as JSON (either through
ActiveSupport::JSON.encode), Rails does not perform adequate escaping that matches the guarantee implied by the
escape_html_entities_in_json option (which is enabled by default).
If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks.
Upgrading to newer versions of Rails can help fix this issue.