Validation-generated error messages get html-escaped too aggressively

[bensomers]

Just upgraded an app from 3.0.16 to 3.0.18; have not yet gotten the chance to test for this behavior against 3.1.8 and 3.2.8. But the error messages getting automatically built by ActiveRecord are getting mangled by the better html-escaping. I don't think they're getting escaped any more than they were before, but a number of the auto-generated messages include apostrophes, which are now getting escaped. e.g.
validates_presence_of :name
produces an error that displays like:
Name can't be blank

Thoughts? I can mark the errors as #html_safe before displaying them. But I don't remember clearly if any of the other auto-generated error messages include the user input in their strings, which would make this approach insecure. And obviously, anytime a developer uses the custom error message options, they may stick user input into the message.

[rafaelfranca]

They are being escaped but the browsers show they correctly. This was a security fix was you can see here: https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion