lib/liquor/extensions/rails.rb in liquor-0.9.5 vs lib/liquor/extensions/rails.rb in liquor-0.9.6

@@ -34,10 +34,21 @@
     delegate :referer, to: :@request
 
     export :url, :path, :referer
 
     def param(arg, kw={})
-      @request.params[arg.to_s]
+      escape_params(@request.params)[arg.to_s]
+    end
+
+    def escape_params(input)
+      case input
+      when String
+        Rack::Utils.escape_html(input)
+      when Array
+        input.map &method(:escape_params)
+      when Hash
+        Hash[input.map { |k, v| [k.to_s, escape_params(v)] }]
+      end
     end
 
     export :param
 
     def controller