Securing Rails Applications — Ruby on Rails Guides says, in Section 5 and in 8.3.2, that the Safe ERB plugin is recommended. This is an old (3 years plus) unrevised plugin that was probably very useful in Rails 1 and 2, but the main purpose seems to have been superseded by default in Rails 3 with default html_safe-ing of output.
So is this recommendation still a useful recommendation, or is it of historic value only?
Section 5:
Refer to the Injection section for countermeasures against XSS. It is recommended to use the SafeErb plugin also in an Intranet or administration interface.
Section 8.3.2.3:
As a second step, it is good practice to escape all output of the application, especially when re-displaying user input, which hasn’t been input-filtered (as in the search form example earlier on). Use escapeHTML() (or its alias h()) method to replace the HTML input characters &, ", <, > by their uninterpreted representations in HTML (&, ", <, and >). However, it can easily happen that the programmer forgets to use it, so it is recommended to use the SafeErb plugin. SafeErb reminds you to escape strings from external sources.
Cheers, JeremyC.