Content_tag does not escape its input


I've read the article of Yehuda Katz about the SafeBuffers in Rails 3
(, and it
makes me discover that content_tag does not escape its input. I think
it's a security flaw that should be fixed before the release of Rails 3.0.0.

I've opened a ticket on lighthouse with a patch:

I'll be glad if someone can review my patch.

Bruno Michel