From 1eba365478132015ce3ee23345fe9b6b998e783c Mon Sep 17 00:00:00 2001
From: Bryan Larsen <bryan@larsen.st>
Date: Sun, 16 Jan 2011 15:25:21 -0500
Subject: [PATCH] [#903] fix textarea security hole for Rails < 2.3.4.

---
 hobo/taglibs/rapid_forms.dryml |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/hobo/taglibs/rapid_forms.dryml b/hobo/taglibs/rapid_forms.dryml
index ecb5f93..77e30cd 100644
--- a/hobo/taglibs/rapid_forms.dryml
+++ b/hobo/taglibs/rapid_forms.dryml
@@ -350,11 +350,12 @@ edit collections a `Category` model in your application:
 <def tag="collection-input" for="ActiveRecord::Base"><select-many merge/></def>
 
 
-<!-- A `<textarea>` input -->
+<!-- A `<textarea>` input.  Attributes are passed through to [text_area_tag](http://api.rubyonrails.org/classes/ActionView/Helpers/FormTagHelper.html#method-i-text_area_tag). -->
 <def tag="input" for="text" attrs="name">
-  <%= text_area_tag(name, this, attributes) %>
+  <%= text_area_tag(name, attributes["escape"]==false ? this : html_escape(this), attributes) %>
 </def>
 
+
 <!-- A checkbox plus a hidden-field. The hidden field trick comes from Rails - it means that when the checkbox is not checked, the parameter name is still submitted, with a '0' value (the value is '1' when the checkbox is checked) -->
 <def tag="input" for="boolean" attrs="name">
   <%= unless attributes[:disabled]
-- 
1.7.1