Honor public/private in ActionView::Helpers::Tags::Base#value

* use public_send instead of send to avoid calling private
  methods in form helpers

2 files changed, 7 insertions, 1 deletions

diff --git a/actionview/lib/action_view/helpers/tags/base.rb b/actionview/lib/action_view/helpers/tags/base.rb
index 8607da301c..f8abb19698 100644
--- a/actionview/lib/action_view/helpers/tags/base.rb
+++ b/actionview/lib/action_view/helpers/tags/base.rb
@@ -25,7 +25,7 @@ module ActionView
         private
 
         def value(object)
-          object.send @method_name if object
+          object.public_send @method_name if object
         end
 
         def value_before_type_cast(object)
diff --git a/actionview/test/template/form_helper_test.rb b/actionview/test/template/form_helper_test.rb
index f2238d1443..36e3e64688 100644
--- a/actionview/test/template/form_helper_test.rb
+++ b/actionview/test/template/form_helper_test.rb
@@ -158,6 +158,12 @@ class FormHelperTest < ActionView::TestCase
     assert_raise(NotImplementedError) { FooTag.new.render }
   end
 
+  def test_tags_base_value_honors_public_private
+    test_object = Class.new { private def my_method ; end }.new
+    tag = ActionView::Helpers::Tags::Base.new 'test_object', :my_method, nil
+    assert_raise(NoMethodError) { tag.send :value, test_object }
+  end
+
   def test_label
     assert_dom_equal('<label for="post_title">Title</label>', label("post", "title"))
     assert_dom_equal(