fix: Content argument safety

spec/blueprint/html/safety_spec.cr

@@ -5,6 +5,7 @@ private class DummyPage
 
   private def blueprint
     span { "<script>alert('hello')</script>" }
+    span "<script>alert('content')</script>"
     plain "<script>alert('Plain Text')</script>"
     render(DummyComponent.new) { "<script>alert('DummyComponent')</script>" }
     div(class: "some-class\" onblur=\"alert('Attribute')")
@@ -21,7 +22,7 @@ private class DummyComponent
 end
 
 describe "Blueprint::HTML safety" do
-  it "escapes content passed to tags" do
+  it "escapes content passed to tags via block" do
     page = DummyPage.new
     expected_html = <<-HTML.strip
       <span>&lt;script&gt;alert(&#39;hello&#39;)&lt;/script&gt;</span>
@@ -30,6 +31,15 @@ describe "Blueprint::HTML safety" do
     page.to_html.should contain(expected_html)
   end
 
+  it "escapes content passed to tags via argument" do
+    page = DummyPage.new
+    expected_html = <<-HTML.strip
+      <span>&lt;script&gt;alert(&#39;content&#39;)&lt;/script&gt;</span>
+    HTML
+
+    page.to_html.should contain(expected_html)
+  end
+
   it "escapes plain text" do
     page = DummyPage.new
     expected_html = <<-HTML.strip

src/blueprint/html/element_registrar.cr

@@ -7,7 +7,7 @@ module Blueprint::HTML
     end
 
     private def {{method_name.id}}(**attributes) : Nil
-      element({{tag}}, **attributes) { "" }
+      element({{tag}}, "", **attributes)
     end
 
     private def {{method_name.id}}(__content__ : String, **attributes) : Nil
@@ -19,7 +19,7 @@ module Blueprint::HTML
     {% tag ||= method_name.tr("_", "-") %}
 
     private def {{method_name.id}}(**attributes) : Nil
-      element({{tag}}, **attributes) { "" }
+      element({{tag}}, "", **attributes)
     end
   end
 
@@ -47,7 +47,7 @@ module Blueprint::HTML
     @buffer << _tag_name
     @buffer << parse_attributes(attributes)
     @buffer << ">"
-    @buffer << __content__
+    ::HTML.escape(__content__, @buffer)
     @buffer << "</"
     @buffer << _tag_name
     @buffer << ">"