In Rails 6, String manipulation methods are now HTML-safe
aware. https://github.com/rails/rails/pull/33990

This means, when doing the `#insert` here it first escapes
the HTML before inserting into the HTML-safe string