I was wondering when it is safe to use html_safe and when not. I read that you don't want to do this if the code may contain user content. What does this mean in practice?
flash[:danger]="Dear #{@user.username} <br> please take a look #{view_context.link_to('here', some_path)}" <br> Your organization #{@user.organizationname} bla bla"
For example, for a flash message such as this one, will need html_safe to display correctly, but it also contains in this case username and organizationname which is content entered by the user. Is it then still safe to use html_safe...?
If you inject user content into strings you render with html_safe you have to make sure all the injected content is sanitized
flash[:danger]="Dear #{ActionController::Base.helpers.sanitize @user.username} <br> please take a look #{view_context.link_to('here', some_path)}" <br> Your organization #{ActionController::Base.helpers.sanitize @user.organizationname} bla bla"
http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html