diff options
author | Bruno Michel <bmichel@menfin.info> | 2010-02-13 19:53:26 -0200 |
---|---|---|
committer | Yehuda Katz <yehudakatz@YK.local> | 2010-02-14 12:03:28 -0800 |
commit | f86421fb282ff2d209914db736ca64380dab044d (patch) | |
tree | d539bc4dac34268b5ed973bcfc9f80744d059c88 /actionpack/lib/action_view/helpers/form_tag_helper.rb | |
parent | 411c15ed5220cb07cfb1989d32be956f94a7478f (diff) | |
download | rails-f86421fb282ff2d209914db736ca64380dab044d.tar.gz rails-f86421fb282ff2d209914db736ca64380dab044d.tar.bz2 rails-f86421fb282ff2d209914db736ca64380dab044d.zip |
content_tag should escape its input
Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
Diffstat (limited to 'actionpack/lib/action_view/helpers/form_tag_helper.rb')
-rw-r--r-- | actionpack/lib/action_view/helpers/form_tag_helper.rb | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb index 6ed6c3101b..7dcaee7e34 100644 --- a/actionpack/lib/action_view/helpers/form_tag_helper.rb +++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb @@ -90,9 +90,9 @@ module ActionView html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name if blank = options.delete(:include_blank) if blank.kind_of?(String) - option_tags = "<option value=\"\">#{blank}</option>" + option_tags + option_tags = "<option value=\"\">#{blank}</option>".html_safe + option_tags else - option_tags = "<option value=\"\"></option>" + option_tags + option_tags = "<option value=\"\"></option>".html_safe + option_tags end end content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys) @@ -279,7 +279,7 @@ module ActionView escape = options.key?("escape") ? options.delete("escape") : true content = html_escape(content) if escape - content_tag :textarea, content, { "name" => name, "id" => sanitize_to_id(name) }.update(options) + content_tag :textarea, content.html_safe, { "name" => name, "id" => sanitize_to_id(name) }.update(options) end # Creates a check box form input tag. |