Using html_safe in Rails bypasses XSS protection and is risky when user input is involved. Rails provides three safer alternatives: the tag helper for building HTML elements (auto-escapes content and attributes), safe_join for combining safe HTML fragments with potentially unsafe text, and sanitize for accepting user-provided HTML while stripping dangerous tags like script elements and event handlers. html_safe has legitimate uses only when content is fully controlled, such as output from trusted gems or truly static strings with no user input.
Sort: