diff --git a/grails-plugin-gsp/src/main/groovy/org/grails/plugins/web/taglib/FormTagLib.groovy b/grails-plugin-gsp/src/main/groovy/org/grails/plugins/web/taglib/FormTagLib.groovy
index dda33de4530..a32f75f53a0 100644
--- a/grails-plugin-gsp/src/main/groovy/org/grails/plugins/web/taglib/FormTagLib.groovy
+++ b/grails-plugin-gsp/src/main/groovy/org/grails/plugins/web/taglib/FormTagLib.groovy
@@ -1069,7 +1069,7 @@ class FormTagLib implements ApplicationContextAware, InitializingBean, TagLibrar
}
}
keyValue = processFormFieldValueIfNecessary(selectName, "${keyValue}","option")
- writer << "value=\"${keyValue}\" "
+ writer << "value=\"${keyValue.toString().encodeAsHTML()}\" "
if (selected) {
writer << 'selected="selected" '
}
diff --git a/grails-test-suite-web/src/test/groovy/org/grails/web/taglib/SelectTagTests.groovy b/grails-test-suite-web/src/test/groovy/org/grails/web/taglib/SelectTagTests.groovy
index 0b3b7dabd4e..5ade5e22332 100644
--- a/grails-test-suite-web/src/test/groovy/org/grails/web/taglib/SelectTagTests.groovy
+++ b/grails-test-suite-web/src/test/groovy/org/grails/web/taglib/SelectTagTests.groovy
@@ -22,6 +22,14 @@ class SelectTagTests extends AbstractGrailsTagTests {
assertTrue "should have HTML escaped attributes", result.startsWith('"]])
+
+ println result
+ assertTrue "should have HTML escaped values", result.contains('')
+ }
+
void testSelectUsesExpressionForDisable() {
def template = ''
assertOutputContains('disabled="disabled"', template)