Because XSS-free HTML generation is not about String#html_safe? - View it on GitHub