I ran into a situation with .html_safe when communicating with a fellow programmer, and discovered that the method name isn't as clear as desired.
.html_safedoes not mean “please make this html safe”, it’s the opposite - it is you the programmer telling rails that “this string is html safe, promise!”
This can be confused by programmers, and hence be a potential security risk. A programmer should be able to read the name of a method and unambiguously be able to predict what it does, precisely.
Renaming it to:
.prevent_html_escaping would make it unambiguous, and directly refer to what is actually being done (so that the programmer doesn’t have to infer what “safe” means, precisely).
Another potential name could be something like:
.render_html That name avoids the double negative: “preventing” an “escaping” (even though that that is what actually happens, since rails escapes html by default)
It’s not the best name, since “render” alludes to something that should be placed in a view or template, but this method should never be called from a view,
because “Code should never call html_safe on a string unless that code constructed the string and actually ensured it’s html-safety.”, according to this blog post.
Maybe .unescape_html is the best name for it. It states what you do with the string, and not what state it should be in afterwards (“this html is safe”).
Naming methods like verbs are also more in line with method naming convention, I think.
Suggestions for better names are welcome.