I'm running Rails 4.2.x and I have the following problem.

The <title> of some pages are generated from user content. So I have to use the sanitize Rails helpers to properly clean it up.

But if the user writes something like "A & B", the title shown in browser is A & B which is wrong.

What's the correct way of escaping user content on the <title> tag using Rails? At least some special characters should be included...

We can use CGi also

title =  "A & B"
=> "A & B"
string = CGI.escapeHTML(title)
=> "A & B" 
string = CGI.unescapeHTML(title)
=> "A & B"

Rails providing so many options to escape

Refer these links:

raw vs. html_safe vs. h to unescape html

How to HTML encode/escape a string? Is there a built-in?

If you want remove tags you can use SanitizeHelper

One more option : WhiteListSanitizer

white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
white_list_sanitizer.sanitize(s, tags: %w())
white_list_sanitizer.sanitize(s, tags: %w(table tr td), attributes: %w(id class style))

You can use Rails::Html::TargetScrubber also

You can both sanitize and convert html entities to proper characters with a combination of sanitize and the htmlentities gem. This works for me in the console:

gem install htmlentities

then...

c = ActionController::Base::ApplicationController.new
dirty_content = "<script>content & tags</script>"
clean_but_with_entities = c.helpers.sanitize(dirty_content)
nice_looking = HTMLEntities.new.decode(clean_but_with_entities.to_str )

You end up with "content & tags". To make this easier to use I put this in application_controller:

helper_method :sanitize_and_decode
def sanitize_and_decode(str)
  helpers.sanitize(str)
  HTMLEntities.new.decode(str.to_str)
end

(to_str is to work around the SafeBuffer issue mentioned here)