It's hard to know how much we need to worry about it but this ticket is a place to gather concerns about places where .html_safe allows metadata we print to run JS scripts or break pages etc. It's low priority as long as we only have trusted people editing content.

http://guides.rubyonrails.org/active_support_core_extensions.html#output-safety

We've known for a long time that many of our metadata fields will run a <script> saved in them. Some of these may have been patched up.

It gets a little tricky to pick through all the uses of html_safe. We've added markdown fields, and want the HTML from that to persist, so we may have worked around some of the ERB::Util.h(value) checks done in the original Hyrax renderers.

Also, the Monograph show page definitely will print scripts unescaped. Do we need to worry about that? It is increasingly becoming part of Fulcrum admin (setting representatives etc)

The Hyrax::CitationsBehavior formatters produce marked-up HTML and are set as html_safe in Hyrax. This doesn't seem to result in scripts being run.
However, tags in certain fields can break the reader completely (authorship field, for one).

Closing this, see HELIO-4502