Hello, I''ve read the article of Yehuda Katz about the SafeBuffers in Rails 3 (http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/), and it makes me discover that content_tag does not escape its input. I think it''s a security flaw that should be fixed before the release of Rails 3.0.0. I''ve opened a ticket on lighthouse with a patch: https://rails.lighthouseapp.com/projects/8994/tickets/3883-content_tag-does-not-escape-its-input. I''ll be glad if someone can review my patch. Thanks, Bruno Michel -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.