I’ve tried looking into this and see if I can reproduce your issue.
I’m on Rails 6.1 and currently use ERB templates, but used HAML in the past (which don’t require enclosing Ruby injection in <% %>).
I’ve added brakeman to my project and ran a quick scan. I did not get the XSS error for rendering the ActionText content, and from what brakeman reports the issue is with a different line in your view (your authorize call). I’m not sure this is related to ActionText. Maybe if you can add more context to this, I can continue dig into the issue (your controller action + complete view content).
Thanks Raul, about brakeman I found a proper fix so it’s not a problem. For historical reasons I’m loading my posts from the URL in a pretty non-standard way (find_by_uid!(params.require(:id))[/.*--(.*)/, 1])), so maybe escapeHTML is needed because of this, but anyway it doesn’t matter. This fix is good enough and I’ll see in the future if it’s still needed when cleaning up the code.
Also good to know about this difference between erb and slim (= vs. ==)!