UPDATE
For security reasons, it is recommended to use sanitize instead of html_safe.
<%= sanitize @str %>
What’s happening is that, as a security measure, Rails is escaping your string for you because it might have malicious code embedded in it. But if you tell Rails that your string is html_safe, it’ll pass it right through.
@str = "<b>Hi</b>".html_safe
<%= @str %>
OR
@str = "<b>Hi</b>"
<%= @str.html_safe %>
Using raw works fine, but all it’s doing is converting the string to a string, and then calling html_safe. When I know I have a string, I prefer calling html_safe directly, because it skips an unnecessary step and makes clearer what’s going on. Details about string-escaping and XSS protection are in this Asciicast.