From 1de47a0d56328768dfba0e5f86e1ff9491e62c20 Mon Sep 17 00:00:00 2001
From: Santiago Pastorino <santiago@wyeworks.com>
Date: Wed, 12 Jan 2011 22:05:52 -0200
Subject: [PATCH] button_tag should escape it content

---
 actionpack/lib/action_view/helpers/form_tag_helper.rb | 2 +-
 actionpack/test/template/form_tag_helper_test.rb      | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index 159b2a2b8e..d6b74974e9 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -457,7 +457,7 @@ def button_tag(label = "Button", options = {})
           options[option] = "button" unless options[option]
         end
 
-        content_tag :button, label.to_s.html_safe, { "type" => options.delete("type") }.update(options)
+        content_tag :button, label, { "type" => options.delete("type") }.update(options)
       end
 
       # Displays an image which when clicked will submit the form.
diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb
index 0d29b962d5..4a584b8db8 100644
--- a/actionpack/test/template/form_tag_helper_test.rb
+++ b/actionpack/test/template/form_tag_helper_test.rb
@@ -413,6 +413,13 @@ def test_button_tag_with_disabled_option
     )
   end
 
+  def test_button_tag_escape_content
+    assert_dom_equal(
+      %(<button name="button" type="reset" disabled="disabled">&lt;b&gt;Reset&lt;/b&gt;</button>),
+      button_tag("<b>Reset</b>", :type => "reset", :disabled => true)
+    )
+  end
+
   def test_image_submit_tag_with_confirmation
     assert_dom_equal(
       %(<input type="image" src="/images/save.gif" data-confirm="Are you sure?" />),
-- 
GitLab