From f86421fb282ff2d209914db736ca64380dab044d Mon Sep 17 00:00:00 2001
From: Bruno Michel <bmichel@menfin.info>
Date: Sat, 13 Feb 2010 19:53:26 -0200
Subject: content_tag should escape its input

Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
---
 actionpack/lib/action_view/helpers/url_helper.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/lib/action_view/helpers/url_helper.rb')

diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index 168a3bdbc0..88ce2a2c0c 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -493,7 +493,7 @@ module ActionView
             char = c.chr
             string << (char =~ /\w/ ? sprintf("%%%x", c) : char)
           end
-          content_tag "a", name || email_address_encoded, html_options.merge({ "href" => "#{string}#{extras}" })
+          content_tag "a", name || email_address_encoded.html_safe, html_options.merge({ "href" => "#{string}#{extras}" })
         else
           content_tag "a", name || email_address_obfuscated, html_options.merge({ "href" => "mailto:#{email_address}#{extras}" })
         end
-- 
cgit v1.2.3