The Action Text guide instructs to render rich text with = @message.content
(I don’t use the <% %>
symbols as I am using slim templates).
However this renders the raw HTML source code:
I can fix this by replacing with == @message.content
:
But then it yields a brakeman vulnerability error:
Confidence: Weak
Category: Cross-Site Scripting
Check: CrossSiteScripting
Message: Unescaped parameter value
Code: authorize(@posts.find_by_uid!(params.require(:id))[/.*--(.*)/, 1]).body
File: app/views/posts/show.html.slim
Line: 26
What is the correct and safe way to render Action Text?