content_tag should escape its input

Signed-off-by: Yehuda Katz <yehudakatz@YK.local>

1 files changed, 3 insertions, 3 deletions

diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index 6ed6c3101b..7dcaee7e34 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -90,9 +90,9 @@ module ActionView
         html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
         if blank = options.delete(:include_blank)
           if blank.kind_of?(String)
-            option_tags = "<option value=\"\">#{blank}</option>" + option_tags
+            option_tags = "<option value=\"\">#{blank}</option>".html_safe + option_tags
           else
-            option_tags = "<option value=\"\"></option>" + option_tags
+            option_tags = "<option value=\"\"></option>".html_safe + option_tags
           end
         end
         content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
@@ -279,7 +279,7 @@ module ActionView
         escape = options.key?("escape") ? options.delete("escape") : true
         content = html_escape(content) if escape
 
-        content_tag :textarea, content, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
+        content_tag :textarea, content.html_safe, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
       end
 
       # Creates a check box form input tag.