Security.html - Safe ERB and Rails 3 says, in Section 5 and in
8.3.2, that the Safe ERB plugin is recommended. This is an old (3
years plus) unrevised plugin that was probably very useful in Rails 1
and 2, but the main purpose seems to have been superseded by default
in Rails 3 with default html_safe-ing of output.

So is this recommendation still a useful recommendation, or is it of
historic value only?

Section 5:

Refer to the Injection section for countermeasures against XSS. It is
recommended to use the SafeErb plugin also in an Intranet or
administration interface.


As a second step, it is good practice to escape all output of the
application, especially when re-displaying user input, which hasn’t
been input-filtered (as in the search form example earlier on). Use
escapeHTML() (or its alias h()) method to replace the HTML input
characters &, ", <, > by their uninterpreted representations in HTML
(&amp;, &quot;, &lt;, and &gt;). However, it can easily happen that
the programmer forgets to use it, so it is recommended to use the
SafeErb plugin. SafeErb reminds you to escape strings from external

Cheers, JeremyC.

Yes, these remarks should be revised.