should html_safe? html safety marker be preserved?

[jrochkind]

Rails uses an html_safe marker to indicate if the string is properly HTML-safe.

If rinku doesn't do a substitution, it just returns the input, the identical object, so of course HTML safety marker is unchanged.

input_s = "<b>bold</b>".html_safe
input_s.html_safe? # => true

output_s = Rinku.auto_link(input_s)
onput_s.html_safe? # => true

But if rinku actually does a substitution, it always returns a string without html_safe set.

html_input = "<b>bold</b> http://example.com".html_safe
html_input.html_safe?

html_output = Rinku.auto_link(html_input)
# =-> "<b>bold</b> <a href=\"http://example.com\">http://example.com</a>"
html_output.html_safe? # => false

If rinku is performing correctly without bugs, then the input in fact should still be html_safe if the input was.

Should rinku set html_safe on output in cases where html_safe was set on input?

Without this, when using with html input (as Rinku specifically supports), users will often just need to add it on themselves Rinku.auto_link(html_input).html_safe. This is both wordier/repetitive and somewhat more subject to error, you might accidentally set html_safe even when the input didn't already have html_safe set, which could open you up to XSS bugs; really the logic should be setting html_safe on output only if it was set on input.