Home/ Questions/Q 3665850
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T01:48:38+00:00

I have @str = <b>Hi</b> and in my erb view: <%= @str %> What

  • 0

I have

@str = "<b>Hi</b>"

and in my erb view:

<%= @str %>

What will display on the page is: <b>Hi</b> when what I really want is Hi. What’s the ruby way to “interpret” a string as HTML markup?

Edit: the case where

@str = "<span class=\"classname\">hello</span>"

If in my view I do

<%raw @str %>

The HTML source code is <span class=\"classname\">hello</span> where what I really want is <span class="classname">hello</span> (without the backslashes that were escaping the double quotes). What’s the best way to “unescape” those double quotes?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    UPDATE

    For security reasons, it is recommended to use sanitize instead of html_safe.

    <%= sanitize @str %>

    What’s happening is that, as a security measure, Rails is escaping your string for you because it might have malicious code embedded in it. But if you tell Rails that your string is html_safe, it’ll pass it right through.

    @str = "<b>Hi</b>".html_safe
<%= @str %>

    OR

    @str = "<b>Hi</b>"
<%= @str.html_safe %>

    Using raw works fine, but all it’s doing is converting the string to a string, and then calling html_safe. When I know I have a string, I prefer calling html_safe directly, because it skips an unnecessary step and makes clearer what’s going on. Details about string-escaping and XSS protection are in this Asciicast.

    • 0