Html_escape doesn't work in a text_field_tag?

I’ve got a standard login form:

<% form_tag session_path do -%>

Login
<%= text_field_tag 'login', h(@login) %>

Password
<%= password_field_tag 'password', nil %>

<%= submit_tag 'Log in' %>

<% end -%>

I’ve included the @login variable in an html_escape, because I saw
that if you enter />

However, even with the h(@login), the iframe is still displayed, so it
looks like my @login variable isn’t escaped. Anyone knows of this
problem?