Tagging a string as html safe may be a security risk

RuboCop Ruby on Rails

RuboCop(0.48.1) で Tagging a string as html safe may be a security risk と怒られた

htmlタグを直書きせずにcontent_tagを使えということらしい↓

# bad
"<p>#{text}</p>".html_safe

# good
content_tag(:p, text)

# bad
out = ""
out << content_tag(:li, "one")
out << content_tag(:li, "two")
out.html_safe

# good
out = []
out << content_tag(:li, "one")
out << content_tag(:li, "two")
safe_join(out)

引用元
Class: RuboCop::Cop::Rails::OutputSafety — Documentation for rubocop (0.41.2)