Also, it should be noted that h (which is an alias for html_escape) only converts four characters: & => & " => " > => < < => >
it does not include single quote: ' which means it may be possible in some cases to perform XSS attacks while using this function. I recommend 書く an escape function (or replacing html_escape with a function) that also converts: ' => '
こんにちは it will print the information which present in that variable. <%=h%> here if "h" already has some value init または a string . this is how to print those information in ruby.