@tenderlove recently committed d549df7, which escapes single quotes 😄 👍 , but escape_once still leaves them unescaped. And escape_once couldn't handle the hex-encoded entity, which caused it to be double-escaped.
i.e. escape_once("'") was returning "&#x27;"
and escape_once("'") was returning "'"
escape_once("'") was returning "&#x27;"
escape_once("'") was returning "'"
Formtastic uses escape_once on field values, so it was causing text inputs containing single quotes to be double-escaped. So if the user submitted the form, it would be saved to the database escaped instead of raw.
Fix escape_once not escaping single quotes and double-escaping hex-en…
since d549df7 broke 2.3 series, can't this be backported there too?
@dgm it looks like the issue was fixed by converting the hex-encoded entity to a decimal-encoded one https://github.com/rails/rails/commits/2-3-stable 88331c5