fran-worley
commented
7 years ago Thanks for this, I've incorporated this via fdd4ecc540db13e28c675a6c76932e4f2251c603
You can't just escape all attribute values by default as an element might be anything (i.e. a div etc) and you might need actual html in a data attribute for example.
I looked into how the rails form builders work and they just escape the values as these will be involved with use input. I then looked into simple form to see if they do anything else and escaped a few other bits (hint text, error text etc.) all of which I've added.
We need to escape HTML for attribute values, otherwise we have serious XSS-issues if someone inserts something that is redisplayed without proper escaping. You never want a value in you attributes that is able to destroy your HTML, so we have to escape it. This should not be optional, I think.