content_tag should escape its input

Signed-off-by: Yehuda Katz <yehudakatz@YK.local>

1 files changed, 3 insertions, 3 deletions

diff --git a/actionpack/lib/action_view/helpers/active_model_helper.rb b/actionpack/lib/action_view/helpers/active_model_helper.rb
index e106bb0897..c87e216c32 100644
--- a/actionpack/lib/action_view/helpers/active_model_helper.rb
+++ b/actionpack/lib/action_view/helpers/active_model_helper.rb
@@ -127,7 +127,7 @@ module ActionView
         if (obj = (object.respond_to?(:errors) ? object : instance_variable_get("@#{object}"))) &&
           (errors = obj.errors[method])
           content_tag("div",
-            "#{options[:prepend_text]}#{ERB::Util.html_escape(errors.first)}#{options[:append_text]}",
+            "#{options[:prepend_text]}#{ERB::Util.html_escape(errors.first)}#{options[:append_text]}".html_safe,
             :class => options[:css_class]
           )
         else
@@ -228,14 +228,14 @@ module ActionView
               object.errors.full_messages.map do |msg|
                 content_tag(:li, ERB::Util.html_escape(msg))
               end
-            end.join
+            end.join.html_safe
 
             contents = ''
             contents << content_tag(options[:header_tag] || :h2, header_message) unless header_message.blank?
             contents << content_tag(:p, message) unless message.blank?
             contents << content_tag(:ul, error_messages)
 
-            content_tag(:div, contents, html)
+            content_tag(:div, contents.html_safe, html)
           end
         else
           ''