master
render :text => html_code
Read more: https://brakemanscanner.org/docs/warning_types/cross-site_scripting/