html_safe and helpers in rails 3 – Rails 2 vs 3
In Rails 3 (contrary to Rails 2) Strings are automatically escaped using
ERB::Util.h(string) and the reason is simple. In 95% of the cases you won’t have to print html code inside ruby strings like this:
< %="<h1>Hello World"%>
In Rails 2 for this 95% of the cases you had to call the “h” helper to escape the output which was really annoying and insecure (if you forgot one).
Although this was the case for views, constructing a helper that prints html content became tricky in Rails 3. If you want your html content to stay unescaped it has to be an
ActiveSupport::SafeBuffer instance instead of a
String instance. To achieve this there are two solutions: Continue reading