Guidance for using html_safe

[andyw8]

I noticed there's no mention of #html_safe in views and helpers. I've found this to be a commonly misused/misunderstood part of Rails, but I'm not sure if it should be considered as 'style'. Any thoughts?

[pirj]

My rule of thumb is to sanitize anything that can be user-provided (including when it's coming from the database, or uploaded/fetched files, not just HTTP params), and only allow it to participate as a source for rendering with html_safe.
For anything that comes from the application source code/resources, use html_safe deliberately.

[pirj]

@andyw8 Your writing skills are evidently superior to mine, so who would be better than you to send a PR?

[andyw8]

I haven't done anything with html_safe for a while, so I'd need a refresh on the best practices – I'll try come back to this next I'm working on something related to that.

[pirj]

Note to future self: it's possible to check/harvest for usage examples in https://github.com/eliotsykes/real-world-rails, https://github.com/pirj/real-world-rspec (slightly more up to date, but fewer Rails repos).

From Rails Guides:

Active Support has the concept of (html) safe strings. A safe string is one that is marked as being insertable into HTML as is. It is trusted, no matter whether it has been escaped or not.

Strings are considered to be unsafe by default:

NOTE: When using html: option, HTML entities will be escaped if the string is not composed with html_safe-aware APIs.