lib/merb-helpers/form/builder.rb in merb-helpers-1.0.4 vs lib/merb-helpers/form/builder.rb in merb-helpers-1.0.5

@@ -241,13 +241,18 @@
 
     def options(col, text_meth, value_meth, sel, b = nil)
       ([b] + col.map do |item|
         text_meth = text_meth && item.respond_to?(text_meth) ? text_meth : :last
         value_meth = value_meth && item.respond_to?(value_meth) ? value_meth : :first
-        
-        text = item.is_a?(String) ? item : item.send(text_meth)
+
+        text  = item.is_a?(String) ? item : item.send(text_meth)
         value = item.is_a?(String) ? item : item.send(value_meth)
+        
+        unless Merb.disabled?(:merb_helper_escaping)
+          text  = Merb::Parse.escape_xml(text)
+          value = Merb::Parse.escape_xml(value)
+        end
 
         option_attrs = {:value => value}
         if sel.is_a?(Array)
           option_attrs.merge!(:selected => "selected") if value.in? sel
         else
@@ -269,10 +274,15 @@
     def control_name(method)
       @obj ? "#{@name}[#{method}]" : method
     end
     
     def control_value(method)
-      @obj ? @obj.send(method) : @origin.params[method]
+      value = @obj ? @obj.send(method) : @origin.params[method]
+      if Merb.disabled?(:merb_helper_escaping)
+        value.to_s
+      else
+        Merb::Parse.escape_xml(value.to_s)
+      end
     end
 
     def add_css_class(attrs, new_class)
       attrs[:class] = attrs[:class] ? "#{attrs[:class]} #{new_class}" : new_class
     end