XSS protection in Haml templates

If you’re using Haml templates, instead of ERB, strings are automatically escaped in the same way as in ERB templates. Also like in ERB templates, HTML-safe strings (string.html_safe? returns true) won’t be escaped automatically. The != notation in Haml works like <%= raw(…) %> in ERB, so it will render the unescaped version.

By default,

= "<em>emphasized</em>"
!= "<em>emphasized</em>"

compiles to:

&lt;em&gt;emphasized&lt;/em&gt;
<em>emphasized</em>

So take care when using != in Haml, make sure no user data will be rendered unescaped.