2 files changed, 12 insertions, 3 deletions

diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
index 6001b21e63..f913c99abb 100644
--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -31,10 +31,19 @@ module ActionView
         "<![CDATA[#{content}]]>"
       end
 
+      # Escapes a given string, while leaving any currently escaped entities alone.
+      #
+      #   escape_once("1 > 2 &amp; 3")
+      #   # => "1 &lt; 2 &amp; 3"
+      #
+      def escape_once(html)
+        fix_double_escape(html_escape(html.to_s))
+      end
+
       private
         def tag_options(options)
           cleaned_options = convert_booleans(options.stringify_keys.reject {|key, value| value.nil?})
-          ' ' + cleaned_options.map {|key, value| %(#{key}="#{fix_double_escape(html_escape(value.to_s))}")}.sort * ' ' unless cleaned_options.empty?
+          ' ' + cleaned_options.map {|key, value| %(#{key}="#{escape_once(value)}")}.sort * ' ' unless cleaned_options.empty?
         end
 
         def convert_booleans(options)
diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index 42c28335d5..4f52a018a7 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -131,8 +131,8 @@ module ActionView
         name ||= url
 
         html_options.merge!("type" => "submit", "value" => name)
-
-        "<form method=\"#{form_method}\" action=\"#{h url}\" class=\"button-to\"><div>" + 
+        
+        "<form method=\"#{form_method}\" action=\"#{escape_once url}\" class=\"button-to\"><div>" + 
           method_tag + tag("input", html_options) + "</div></form>"
       end