GitHub User: lzap
Warning: link_to method is NOT safe because its not properly encoding all characters into percent-encoding (skipping slash)
In your video if you click on the link with "...</strong>" text your application woulnt probably work because the slash in this string would brake your routing rules.
Actually this is not an XSS safety but an attacker could provide a string that would break the app from working (broken links).
I have no idea why link_to encodes only few characters and not all according to the specs.