As we all know, in Rails all strings will be escaped <%= dangerous_string %> <!-- Safe -->

But if we use html_safe which is telling template turn off escape. <%= dangerous_string.html_safe %> <!-- Unsafe! --> btw, raw, == is the same as html_safe

What will it be after call html_safe on a string?

"string".html_safe.class
# => ActiveSupport::SafeBuffer

calling html_safe is no different other than returning a SafeBuffer object.

You could see active_support/core_ext/string/output_safety.rb

There’re many methods can turn safe buffer to unsafe. like

capitalize chomp chop delete downcase gsub lstrip next reverse rstrip
slice squeeze strip sub succ swapcase tr tr_s upcase prepend

Why do they change?

UNSAFE_STRING_METHODS.each do |unsafe_method|
  if unsafe_method.respond_to?(unsafe_method)
    class_eval <<-EOT, __FILE__, __LINE__ + 1
      def #{unsafe_method}(*args, &block)       # def capitalize(*args, &block)
        to_str.#{unsafe_method}(*args, &block)  #   to_str.capitalize(*args, &block)
      end                                       # end

      def #{unsafe_method}!(*args)              # def capitalize!(*args)
        @html_safe = false                      #   @html_safe = false
        super                                   #   super
      end                                       # end
    EOT
  end
end

Which means if you need to call these methods on a SafeBuffer object, you must take care, they aint a SafeBuffer any more.

One more thing, sanitize is a whitelist filter method which will html encode all tags and strip all attributes that aren’t specifically allowed. If you’re John Snow(know nothing), use this method. see http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html