Prohibit calling .html_safe in views

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem

1. You bind an object/variable to be displayed in a view (ex: unharmful)
2. You know it contains some html content, so you flag it as .html_safe in the view
3. Later on you change unharmful to bind to another origin that includes user provided content

Because you flagged it to be .html_safe in the view, the unsafe content gets displayed.

Proposal

Prohibit the use of .html_safe calls in views.

By prohibiting .html_safe usage in a view, we force it to be done either on the controller (for single variable bindings) or in a presenter (when we are binding an object, like a model), which is as close to the origin as possible.