Pass a string of data into the h() helper function to escape its HTML entities. That is, instead of this:
<%= @data %>
<%=h @data %>
The h() helper function converts the following characters into their HTML entity equivalents: ampersand (&), double quote ("), left angle bracket (<), and right angle bracket (>).
You won't find the definition for the h() helper function anywhere in the Rails source code, because it's a shortcut for ERb's built-in helper function html_escape().