content_tag should escape its input

Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
author: Bruno Michel <bmichel@menfin.info> 2010-02-13 19:53:26 -0200
committer: Yehuda Katz <yehudakatz@YK.local> 2010-02-14 12:03:28 -0800
commit: f86421fb282ff2d209914db736ca64380dab044d (patch)
tree: d539bc4dac34268b5ed973bcfc9f80744d059c88 /actionpack/lib/action_view/helpers/url_helper.rb
parent: 411c15ed5220cb07cfb1989d32be956f94a7478f (diff)
download: rails-f86421fb282ff2d209914db736ca64380dab044d.tar.gz
rails-f86421fb282ff2d209914db736ca64380dab044d.tar.bz2
rails-f86421fb282ff2d209914db736ca64380dab044d.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index 168a3bdbc0..88ce2a2c0c 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -493,7 +493,7 @@ module ActionView
             char = c.chr
             string << (char =~ /\w/ ? sprintf("%%%x", c) : char)
           end
-          content_tag "a", name || email_address_encoded, html_options.merge({ "href" => "#{string}#{extras}" })
+          content_tag "a", name || email_address_encoded.html_safe, html_options.merge({ "href" => "#{string}#{extras}" })
         else
           content_tag "a", name || email_address_obfuscated, html_options.merge({ "href" => "mailto:#{email_address}#{extras}" })
         end
author	Bruno Michel <bmichel@menfin.info>	2010-02-13 19:53:26 -0200
committer	Yehuda Katz <yehudakatz@YK.local>	2010-02-14 12:03:28 -0800
commit	f86421fb282ff2d209914db736ca64380dab044d (patch)
tree	d539bc4dac34268b5ed973bcfc9f80744d059c88 /actionpack/lib/action_view/helpers/url_helper.rb
parent	411c15ed5220cb07cfb1989d32be956f94a7478f (diff)
download	rails-f86421fb282ff2d209914db736ca64380dab044d.tar.gz rails-f86421fb282ff2d209914db736ca64380dab044d.tar.bz2 rails-f86421fb282ff2d209914db736ca64380dab044d.zip