SafeBuffer calls ERB::Util.h
for strings that aren't html_safe
, so you can gsub
on ERB::Util.h(your_string)
and replace instances of &[code]
with &[code];
when first saving the string in your database. That way your string is first sanitized
The call you need is ERB::Util.h(your_string).gsub(/&(#x?[\da-fA-F]+;)/, '&\1')
Then whenever you need to display that particular string, call html_safe
on it.