html_escape doesn't work in a text_field_tag?

I've got a standard login form:

<% form_tag session_path do -%>
<p><label for="login">Login</label><br/>
<%= text_field_tag 'login', h(@login) %></p>

<p><label for="password">Password</label><br/>
<%= password_field_tag 'password', nil %></p>

<p><%= submit_tag 'Log in' %></p>
<% end -%>

I've included the @login variable in an html_escape, because I saw
that if you enter /><iframe>... as login name, the error gets caught,
but the form now is displayed with an iframe. So cross-site scripting
wide open!

However, even with the h(@login), the iframe is still displayed, so it
looks like my @login variable isn't escaped. Anyone knows of this
problem?