raw vs. html_safe vs. h to unescape html

Question

Suppose I have the following string

@x = \"Turn me into a link\"

In my view, I want a link to be displayed.

Answer 1

I think it bears repeating: html_safe does not HTML-escape your string. In fact, it will prevent your string from being escaped.

<%= "" %>

will put:

<script>alert('Hello!')</script>

into your HTML source (yay, so safe!), while:

<%= "".html_safe %>

will pop up the alert dialog (are you sure that's what you want?). So you probably don't want to call html_safe on any user-entered strings.