url_for always escape string.

according to the documentation, only the url_for from ActionView escape
which happens on this line

escape ? html_escape(url) : url

and can be prevented by passing :escape =>
false to url_for.
still according to the documentation, the url_for from ActionController
is not supposed to escape the url.


at the moment of this line

escape ? html_escape(url) : url

url has already been escaped by the url_for from action_controller thus
the option :escape is irrelevant.

I believe someone change something without knowing this.

the url_for from the controller is not suppose to escape the url while
it does. and the :escape => false just prevent the url from being
escaped AGAIN.

I went a bit into the code, as far as Routing::Routes.generate
so it get escaped somewhere in there. That's as far as I check