fix for rails security advisory CVE-2016-6316

have to backport for rails 4.0

Change-Id: I3eef6b53bbbd5791109af28e8f8c5467332c7d22
Reviewed-on: https://gerrit.instructure.com/87527
Tested-by: Jenkins
Reviewed-by: Simon Williams <simon@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>

config/initializers/rails_patches.rb

@@ -18,3 +18,14 @@ ActiveRecord::LogSubscriber.class_eval do
   end
   alias_method_chain :sql, :tag
 end
+
+if CANVAS_RAILS4_0
+  # CVE-2016-6316
+  ActionView::Helpers::TagHelper.module_eval do
+    def tag_option(key, value, escape)
+      value = value.join(" ") if value.is_a?(Array)
+      value = ERB::Util.h(value) if escape
+      %(#{key}="#{value.gsub(/"/, '"'.freeze)}")
+    end
+  end
+end