Html_escape, a.k.a h doesn't escape single quotes

One should always use double quotes for specifying html attributes, if the attribute content comes from outside, as the html_escape helper escapes only double quotes. In other words:

HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"' }