Hi, I posted this on lighthouse a few weeks ago:
A patch, with tests, is included. I'd like to use form helpers but
we're forced not to in some situations because of this bug popping
up. However, this patch may break some behavior that people rely
I would argue that the current behavior is broken. If I pass in the
string "<" to a form helper, I expect it to show up in the browser
as "<", not "<". If some people are passing pre-escaped HTML into
form helpers, that is an ambiguity in their code that they should fix.
Note that applying my patch might cause undesirable behavior in some
people's (broken) applications, but could not possibly introduce any
XSS vulnerabilities. This is because it's replacing a semi-broken
version of HTML escaping with one that's stricter.
If this has been discussed before, I would appreciate a pointer to the
discussion. If it merits further discussion, I would be happy to
argue my case. If this patch is going to be accepted, consider this
message a gentle prod for it to be merged in.