according to the documentation, only the url_for from ActionView escape the URL. which happens on this line
escape ? html_escape(url) : url
and can be prevented by passing :escape => false to url_for. still according to the documentation, the url_for from ActionController is not supposed to escape the url.
BUT IT DOES.
at the moment of this line
escape ? html_escape(url) : url
url has already been escaped by the url_for from action_controller thus the option :escape is irrelevant.
I believe someone change something without knowing this.
the url_for from the controller is not suppose to escape the url while it does. and the :escape => false just prevent the url from being escaped AGAIN.
I went a bit into the code, as far as Routing::Routes.generate so it get escaped somewhere in there. That's as far as I check
regards,