<p><a class="user-mention" href="https://github.com/mmd-osm">@mmd-osm</a> tnx for noticing. In <a class="commit-link" href="https://github.com/openstreetmap/openstreetmap-website/commit/23fa74823a66df95330f75f9bfd5cb2bffcb2505"><tt>23fa748</tt></a> i have fixed that by marking the html markup string as <code>html_safe</code> to prevent ruby from html escaping it.<br>
It works:<br>
<a target="_blank" href="https://user-images.githubusercontent.com/319826/37581977-17fc649a-2b4b-11e8-8bf4-3348e05d61f9.png"><img src="https://user-images.githubusercontent.com/319826/37581977-17fc649a-2b4b-11e8-8bf4-3348e05d61f9.png" alt="image" style="max-width:100%;"></a></p>
<p>...but rubocop <a href="https://travis-ci.org/openstreetmap/openstreetmap-website/builds/355233870" rel="nofollow">complains</a> with:</p>
<pre><code>app/helpers/browse_helper.rb:80:183: C: Rails/OutputSafety: Tagging a string as html safe may be a security risk.
      %( <div class="colour-preview-box" style="background-color:#{h(value)}" title="#{h(t('browse.tag_details.colour_preview', :colour_value => colour_value))}"></div>#{h(value)} ).html_safe
</code></pre>
<p>Not sure how to fix that properly. <a class="user-mention" href="https://github.com/tomhughes">@tomhughes</a>, is it ok to add the exception to the whole file to <code>.rubocop*.yml</code> or is there a better way (adding exception for just this line or preventing the unwanted html escaping in some other way)?</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/1779#issuecomment-374119951">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABWnLca8hdDIuuyrWNmBYUaEoxq_Jw2Bks5tf1pUgaJpZM4Sdsny">mute the thread</a>.<img src="https://github.com/notifications/beacon/ABWnLa4ia7Kd3Bu4b6Ek9XKMdZUFPPQaks5tf1pUgaJpZM4Sdsny.gif" height="1" width="1" alt="" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/openstreetmap/openstreetmap-website/pull/1779#issuecomment-374119951"></link>
  <meta itemprop="name" content="View Pull Request"></meta>
</div>
<meta itemprop="description" content="View this Pull Request on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/openstreetmap/openstreetmap-website","title":"openstreetmap/openstreetmap-website","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/openstreetmap/openstreetmap-website"}},"updates":{"snippets":[{"icon":"PERSON","message":"@stefanb in #1779: @mmd-osm tnx for noticing. In 23fa74823a66df95330f75f9bfd5cb2bffcb2505 i have fixed that by marking the html markup string as `html_safe` to prevent ruby from html escaping it.\r\nIt works:\r\n![image](https://user-images.githubusercontent.com/319826/37581977-17fc649a-2b4b-11e8-8bf4-3348e05d61f9.png)\r\n\r\n...but rubocop [complains](https://travis-ci.org/openstreetmap/openstreetmap-website/builds/355233870) with:\r\n```\r\napp/helpers/browse_helper.rb:80:183: C: Rails/OutputSafety: Tagging a string as html safe may be a security risk.\r\n      %( \u003cdiv class=\"colour-preview-box\" style=\"background-color:#{h(value)}\" title=\"#{h(t('browse.tag_details.colour_preview', :colour_value =\u003e colour_value))}\"\u003e\u003c/div\u003e#{h(value)} ).html_safe\r\n```\r\nNot sure how to fix that properly. @tomhughes, is it ok to add the exception to the whole file to `.rubocop*.yml` or is there a better way (adding exception for just this line or preventing the unwanted html escaping in some other way)?"}],"action":{"name":"View Pull Request","url":"https://github.com/openstreetmap/openstreetmap-website/pull/1779#issuecomment-374119951"}}}</script>