I would assume Twitter is using conventional ERB templates since their front end is written using Rails.
The ERB templates used by rails don't escape HTML by default--you have to write <%= h user_provided_value %> instead of <%= user_provided_value %> to mitigate cross-site scripting attacks such as this. It's pretty easy to miss, even if you know you should always escape user-provided data.
Django's template engine, for instance, automatically escapes strings (though I think this can be disabled). To not escape HTML, you must either specify it or a method producing said string can mark it as "safe".
Though ERB is great in that it's incredibly versatile--we use it to generate several types of configuration files--I would very much prefer for it to escape HTML by default when asked to render a string in the context of an HTML page generated by a Rails app. Form helpers and methods such as "render" could be modified to mark Strings that contain HTML you wouldn't want escaped as "unescapable", much like Django does.
The way it works now invites problems like this, even from competent programmers.
The ERB templates used by rails don't escape HTML by default--you have to write <%= h user_provided_value %> instead of <%= user_provided_value %> to mitigate cross-site scripting attacks such as this. It's pretty easy to miss, even if you know you should always escape user-provided data.
Django's template engine, for instance, automatically escapes strings (though I think this can be disabled). To not escape HTML, you must either specify it or a method producing said string can mark it as "safe".
Though ERB is great in that it's incredibly versatile--we use it to generate several types of configuration files--I would very much prefer for it to escape HTML by default when asked to render a string in the context of an HTML page generated by a Rails app. Form helpers and methods such as "render" could be modified to mark Strings that contain HTML you wouldn't want escaped as "unescapable", much like Django does.
The way it works now invites problems like this, even from competent programmers.