In actionview, eliminate calls to tag that use html_safe parameter values. This is generally unnecessary, since tag handles string quoting, except in one case (utf8_enforcer_tag) where we want to specify the encoding ourselves.

3 files changed, 7 insertions, 8 deletions

diff --git a/actionview/lib/action_view/helpers/form_tag_helper.rb b/actionview/lib/action_view/helpers/form_tag_helper.rb
index 88b8400644..7a7ddaa41c 100644
--- a/actionview/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionview/lib/action_view/helpers/form_tag_helper.rb
@@ -794,9 +794,11 @@ module ActionView
       end
 
       # Creates the hidden UTF8 enforcer tag. Override this method in a helper
-      # to customize the tag.
+      # to customize the tag.  Note that we have the HTML written out
+      # explicitly here to avoid potential problems with including a
+      # unicode character in output.
       def utf8_enforcer_tag
-        tag(:input, :type => "hidden", :name => "utf8", :value => "✓".html_safe)
+        %{<input name="utf8" type="hidden" value="&#x2713;" />}.html_safe
       end
 
       private
diff --git a/actionview/lib/action_view/helpers/tags/text_field.rb b/actionview/lib/action_view/helpers/tags/text_field.rb
index e910879ebf..e0b80d81c2 100644
--- a/actionview/lib/action_view/helpers/tags/text_field.rb
+++ b/actionview/lib/action_view/helpers/tags/text_field.rb
@@ -7,7 +7,6 @@ module ActionView
           options["size"] = options["maxlength"] unless options.key?("size")
           options["type"] ||= field_type
           options["value"] = options.fetch("value") { value_before_type_cast(object) } unless field_type == "file"
-          options["value"] &&= ERB::Util.html_escape(options["value"])
           add_default_name_and_id(options)
           tag("input", options)
         end
diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb
index 9a9777317a..c3be47133c 100644
--- a/actionview/lib/action_view/helpers/url_helper.rb
+++ b/actionview/lib/action_view/helpers/url_helper.rb
@@ -462,8 +462,6 @@ module ActionView
       #          <strong>Email me:</strong> <span>me@domain.com</span>
       #        </a>
       def mail_to(email_address, name = nil, html_options = {}, &block)
-        email_address = ERB::Util.unwrapped_html_escape(email_address)
-
         html_options, name = name, nil if block_given?
         html_options = (html_options || {}).stringify_keys
 
@@ -471,11 +469,11 @@ module ActionView
           option = html_options.delete(item) || next
           "#{item}=#{Rack::Utils.escape_path(option)}"
         }.compact
-        extras = extras.empty? ? '' : '?' + ERB::Util.unwrapped_html_escape(extras.join('&'))
+        extras = extras.empty? ? '' : '?' + extras.join('&')
 
-        html_options["href"] = "mailto:#{email_address}#{extras}".html_safe
+        html_options["href"] = "mailto:#{email_address}#{extras}"
 
-        content_tag(:a, name || email_address.html_safe, html_options, &block)
+        content_tag(:a, name || email_address, html_options, &block)
       end
 
       # True if the current request URI was generated by the given +options+.