class RuboCop::Cop::Rails::OutputSafety

“&lt;b&gt;hi&lt;/b&gt; <span>&lt;b&gt;hi&lt;/b&gt;</span>”
=> ActiveSupport::SafeBuffer
safe_join([user_content, “ ”, content_tag(:span, user_content)])
# good
“hi <span>hi</span>”
=> ActiveSupport::SafeBuffer
(user_content + “ ” + content_tag(:span, user_content)).html_safe
# bad
=> trusted content&lt;b&gt;hi&lt;/b&gt;
<%= result %>
# because when rendered in ERB the String will be escaped:
=> String “trusted contenthi”
result = out.concat(user_content)
out = “trusted content”
# safe, though maybe not good style
“<h1>trusted_content</h1>&lt;b&gt;hi&lt;/b&gt;”
=> ActiveSupport::SafeBuffer
out.concat(user_content)
out = “<h1>trusted content</h1>”.html_safe
# good
“<h1>trusted_content</h1>hi”
=> ActiveSupport::SafeBuffer
out.safe_concat(user_content)
out = “<h1>trusted content</h1>”.html_safe
# bad
“<li>&lt;b&gt;hi&lt;/b&gt;</li><li>&lt;b&gt;hi&lt;/b&gt;</li>”
=> ActiveSupport::SafeBuffer
safe_join(out)
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
out = []
# good
“<li>hi</li><li>hi</li>”
=> ActiveSupport::SafeBuffer
out.html_safe
out << “<li>#{user_content}</li>”
out << “<li>#{user_content}</li>”
out = “”
# bad
“<p>&lt;b&gt;hi&lt;/b&gt;</p>”
=> ActiveSupport::SafeBuffer
content_tag(:p, user_content)
# good
“<p>hi</p>”
=> ActiveSupport::SafeBuffer
“<p>#{user_content}</p>”.html_safe
# bad
user_content = “hi”
@example
concatenate content and escape it, ensuring its safety.
use safe_join to join content and escape it and concat to
simply return a SafeBuffer containing the content as is. Instead,
raw, and safe_concat. These methods do not escape content. They
This cop checks for the use of output safety calls like html_safe,