I assume that many of you have written (and still writing) helpers for your views in your awesome Rails projects. A helper, as you all know, is a module which contains methods that are vital for the simplification and the dryness of your views. And because helpers are meant to be used within your views they often contain html code (either plain or ruby code that produces html) which, as you may have noticed, is not very flexible.
In Rails 3 (contrary to Rails 2) Strings are automatically escaped using ERB::Util.h(string) and the reason is simple. In 95% of the cases you won’t have to print html code inside ruby strings like this:
< %="<h1>Hello World"%>
In Rails 2 for this 95% of the cases you had to call the “h” helper to escape the output which was really annoying and insecure (if you forgot one).
Although this was the case for views, constructing a helper that prints html content became tricky in Rails 3. If you want your html content to stay unescaped it has to be an ActiveSupport::SafeBuffer instance instead of a String instance. To achieve this there are two solutions: Continue reading →