Here is a little thing I find good to know ! Maybe you are curious too and you want to know how rails 2.3 know if your strings are html safe or not.
In order to prevent XSS injections, Rails 2.3 implement a way to determine if a string is safe : It’s just a little extension of the core string class given by active support (output_safety.rb).
This extension add a @_rails_html_safe instance variable to the majority of each string created by rails helper in your application !! (I find this way kind of brutal personally)
This variable is a boolean, and if it’s true, your string is HTML safe. So on each concatenation your string will be marked as html safe or not.
If you want to mark yourself a string as safe, use the method : html_safe!
And if you want to know if a string is safe, use : htm_safe?
ruby-1.8.7-p249 > "<script>Not safe</script>".html_safe?
ruby-1.8.7-p249 > "<script>Not safe</script>".html_safe!.html_safe?
ruby-1.8.7-p249 > Marshal::dump(helper.tag('br'))
=> "\004\bI\"\v<br />\006:\026@_rails_html_safeT"
# Here you can see the @_rails_html_safe variable with the string.
Be careful, this code completely change in Rails3 and the little I seen, it’s a lot cleaner