Contents written with haml_concat inside a block passed to haml_tag should still be escaped if XSS protection is active. Change existing test and add a new one that makes this cleaer.