If rinku is performing correctly without bugs, then the input in fact should still be html_safe if the input was.
Should rinku set html_safe on output in cases where html_safe was set on input?
Without this, when using with html input (as Rinku specifically supports), users will often just need to add it on themselves Rinku.auto_link(html_input).html_safe. This is both wordier/repetitive and somewhat more subject to error, you might accidentally set html_safe even when the input didn't already have html_safe set, which could open you up to XSS bugs; really the logic should be setting html_safe on output only if it was set on input.
Rails uses an html_safe marker to indicate if the string is properly HTML-safe.
If rinku doesn't do a substitution, it just returns the input, the identical object, so of course HTML safety marker is unchanged.
But if rinku actually does a substitution, it always returns a string without html_safe set.
If rinku is performing correctly without bugs, then the input in fact should still be html_safe if the input was.
Should rinku set html_safe on output in cases where html_safe was set on input?
Without this, when using with html input (as Rinku specifically supports), users will often just need to add it on themselves
Rinku.auto_link(html_input).html_safe
. This is both wordier/repetitive and somewhat more subject to error, you might accidentally sethtml_safe
even when the input didn't already havehtml_safe
set, which could open you up to XSS bugs; really the logic should be setting html_safe on output only if it was set on input.