Hello,
I've read the article of Yehuda Katz about the SafeBuffers in Rails 3 (SafeBuffers and Rails 3.0), and it makes me discover that content_tag does not escape its input. I think it's a security flaw that should be fixed before the release of Rails 3.0.0.
I've opened a ticket on lighthouse with a patch: #3883 Content_tag does not escape its input! - Ruby on Rails - rails.
I'll be glad if someone can review my patch.
Thanks, Bruno Michel