From 859643252b111e1894a150313f5d6301f56155c2 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?Inge=20J=C3=B8rgensen?= <inge@manualdesign.no>
Date: Mon, 15 Dec 2008 14:41:30 +0100
Subject: [PATCH] Made error_messages_for HTML escape it's error messages

---
 .../action_view/helpers/active_record_helper.rb    |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/actionpack/lib/action_view/helpers/active_record_helper.rb b/actionpack/lib/action_view/helpers/active_record_helper.rb
index 8b56d24..bb2d900 100644
--- a/actionpack/lib/action_view/helpers/active_record_helper.rb
+++ b/actionpack/lib/action_view/helpers/active_record_helper.rb
@@ -198,7 +198,7 @@ module ActionView
               locale.t :header, :count => count, :model => object_name
             end
             message = options.include?(:message) ? options[:message] : locale.t(:body)
-            error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, msg) } }.join
+            error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, ERB::Util.html_escape(msg)) } }.join
 
             contents = ''
             contents << content_tag(options[:header_tag] || :h2, header_message) unless header_message.blank?
-- 
1.6.0.4