Andrew Carpenter of Critical Juncture discovered a cross-site scripting
vulnerability affecting Action View in rails, a web application
framework written in Ruby. Text declared as HTML safe will not have
quotes escaped when used as attribute values in tag helpers.