If <b>hello</b>
comes out as hello, that means HTML escaping is already prevented.
Since you don't want users to be able to use HTML in their inputs, you want HTML to be escaped, so that <b>hello</b>
comes out as <b>hello</b>
.
In a Rails 3 app, html automatically gets escaped - but you can explicitly escape it using the h method:
<%= h my_string %>