I confirmed that when I uploaded a gem file with the author, name, platform, and description, it became XSS because it was not escaped in each view. This is a fix in gemirro. PierreRambaud/gemirro@...