Considering Rails 3:

考虑 Rails 3：

html_safeactually "sets the string" as HTML Safe (it's a little more complicated than that, but it's basically it). This way, you can return HTML Safe strings from helpers or models at will.

html_safe实际上“将字符串设置为 HTML 安全”（它比那更复杂一点，但基本上就是这样）。这样，您可以随意从助手或模型返回 HTML 安全字符串。

hcan only be used from within a controller or view, since it's from a helper. It will force the output to be escaped. It's not really deprecated, but you most likely won't use it anymore: the only usage is to "revert" an html_safedeclaration, pretty unusual.

h只能在控制器或视图中使用，因为它来自助手。它将强制对输出进行转义。它并没有真正被弃用，但你很可能不会再使用它：唯一的用法是“还原”一个html_safe声明，非常不寻常。

Prepending your expression with rawis actually equivalent to calling to_schained with html_safeon it, but is declared on a helper, just like h, so it can only be used on controllers and views.

在你的表达式前加上 withraw实际上相当于在它上面调用to_schained with html_safe，但它是在帮助器上声明的，就像 一样h，所以它只能在控制器和视图上使用。

"SafeBuffers and Rails 3.0" is a nice explanation on how the SafeBuffers (the class that does the html_safemagic) work.

“ SafeBuffers and Rails 3.0”很好地解释了SafeBuffers（html_safe发挥魔法的类）的工作原理。

I think it bears repeating: html_safedoes notHTML-escape your string. In fact, it will prevent your string from being escaped.

我认为它值得重复：html_safe没有没有HTML-逃脱你的字符串。事实上，它会阻止你的字符串被转义。

<%= "<script>alert('Hello!')</script>" %>

will put:

会放：

<script>alert('Hello!')</script>

into your HTML source (yay, so safe!), while:

进入您的 HTML 源代码（是的，太安全了！），同时：

<%= "<script>alert('Hello!')</script>".html_safe %>

will pop up the alert dialog (are you sure that's what you want?). So you probably don't want to call html_safeon any user-entered strings.

将弹出警告对话框（你确定这是你想要的吗？）。因此，您可能不想调用html_safe任何用户输入的字符串。

The difference is between Rails' html_safe()and raw(). There is an excellent post by Yehuda Katz on this, and it really boils down to this:

区别在于 Railshtml_safe()和raw(). Yehuda Katz 在这方面有一篇很棒的帖子，归根结底是这样的：

def raw(stringish)

  stringish.to_s.html_safe

end

Yes, raw()is a wrapper around html_safe()that forces the input to String and then calls html_safe()on it. It's also the case that raw()is a helper in a module whereas html_safe()is a method on the String class which makes a new ActiveSupport::SafeBuffer instance — that has a @dirtyflag in it.

是的，raw()是一个包装器，html_safe()它强制输入到 String 然后调用html_safe()它。这也是raw()一个模块中的助手，而html_safe()String 类上的一个方法的情况，它创建了一个新的 ActiveSupport::SafeBuffer 实例——其中有一个@dirty标志。

Refer to "Rails' html_safe vs. raw".

请参阅“ Rails 的 html_safe 与 raw”。

1. html_safe:

   Marks a string as trusted safe. It will be inserted into HTML with no additional escaping performed.

   "<a>Hello</a>".html_safe
   #=> "<a>Hello</a>"
   
   nil.html_safe
   #=> NoMethodError: undefined method `html_safe' for nil:NilClass
   

2. raw:

   rawis just a wrapper around html_safe. Use rawif there are chances that the string will be nil.

   raw("<a>Hello</a>")
   #=> "<a>Hello</a>"
   
   raw(nil)
   #=> ""
   

3. halias for html_escape:

   A utility method for escaping HTML tag characters. Use this method to escape any unsafe content.

   In Rails 3 and above it is used by default so you don't need to use this method explicitly

1. html_safe：

   将字符串标记为可信安全。它将被插入到 HTML 中而不执行额外的转义。

   "<a>Hello</a>".html_safe
   #=> "<a>Hello</a>"
   
   nil.html_safe
   #=> NoMethodError: undefined method `html_safe' for nil:NilClass
   

2. raw：

   raw只是一个包装html_safe。使用raw，如果有机会，该字符串会nil。

   raw("<a>Hello</a>")
   #=> "<a>Hello</a>"
   
   raw(nil)
   #=> ""
   

3. h别名html_escape：

   一种用于转义 HTML 标记字符的实用方法。使用此方法来逃避任何不安全的内容。

   在 Rails 3 及更高版本中默认使用它，因此您不需要显式使用此方法

The best safe way is: <%= sanitize @x %>

最好的安全方法是： <%= sanitize @x %>

It will avoid XSS!

它将避免XSS！

In Simple Rails terms:

用简单的 Rails 术语来说：

hremove html tags into number characters so that rendering won't break your html

h将 html 标签删除为数字字符，以便渲染不会破坏您的 html

html_safesets a boolean in string so that the string is considered as html save

html_safe在字符串中设置一个布尔值，以便将该字符串视为 html 保存

rawIt converts to html_safe to string

raw它转换为 html_safe 到字符串