Merge pull request rails#55467 from byroot/erb-escape

`ERB::Util.html_escape`: stop trying to tidy bytes

Author: byroot

actionpack/test/dispatch/debug_exceptions_test.rb

@@ -402,7 +402,7 @@ def self.build_app(app, *args)
       "action_dispatch.parameter_filter" => [:foo] }
     assert_response 500
 
-    assert_match(CGI.escape_html({ "foo" => "[FILTERED]" }.inspect[1..-2]), body)
+    assert_match(ERB::Util.html_escape({ "foo" => "[FILTERED]" }.inspect[1..-2]), body)
   end
 
   test "show registered original exception if the last exception is TemplateError" do
@@ -466,7 +466,7 @@ def self.build_app(app, *args)
     })
     assert_response 500
 
-    assert_includes(body, CGI.escapeHTML(PP.pp(params, +"", 200)))
+    assert_includes(body, ERB::Util.html_escape(PP.pp(params, +"", 200)))
   end
 
   test "sets the HTTP charset parameter" do

actionview/lib/action_view/buffers.rb

@@ -45,7 +45,7 @@ def <<(value)
         @raw_buffer << if value.html_safe?
           value
         else
-          CGI.escapeHTML(value)
+          ERB::Util.unwrapped_html_escape(value)
         end
       end
       self

actionview/lib/action_view/helpers/form_helper.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi/escape"
-require "cgi/util" if RUBY_VERSION < "3.5"
 require "action_view/helpers/date_helper"
 require "action_view/helpers/url_helper"
 require "action_view/helpers/form_tag_helper"

actionview/lib/action_view/helpers/form_options_helper.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi/escape"
-require "cgi/util" if RUBY_VERSION < "3.5"
 require "erb"
 require "active_support/core_ext/string/output_safety"
 require "active_support/core_ext/array/extract_options"

actionview/lib/action_view/helpers/form_tag_helper.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi/escape"
-require "cgi/util" if RUBY_VERSION < "3.5"
 require "action_view/helpers/content_exfiltration_prevention_helper"
 require "action_view/helpers/url_helper"
 require "action_view/helpers/text_helper"

actionview/test/template/form_tag_helper_test.rb

@@ -581,7 +581,7 @@ def test_text_field_tag_size_symbol
 
   def test_text_field_tag_with_ac_parameters
     actual = text_field_tag "title", ActionController::Parameters.new(key: "value")
-    value = CGI.escapeHTML({ "key" => "value" }.inspect)
+    value = ERB::Util.html_escape({ "key" => "value" }.inspect)
     expected = %(<input id="title" name="title" type="text" value="#{value}" />)
     assert_dom_equal expected, actual
   end

activesupport/lib/active_support/core_ext/erb/util.rb

@@ -12,7 +12,7 @@ def html_escape(s) # :nodoc:
         if s.html_safe?
           s
         else
-          super(ActiveSupport::Multibyte::Unicode.tidy_bytes(s))
+          super(s)
         end
       end
       alias :unwrapped_html_escape :html_escape # :nodoc:
@@ -61,7 +61,7 @@ module Util
     #   html_escape_once('<< Accept & Checkout')
     #   # => "<< Accept & Checkout"
     def html_escape_once(s)
-      ActiveSupport::Multibyte::Unicode.tidy_bytes(s.to_s).gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE).html_safe
+      s.to_s.gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE).html_safe
     end
 
     module_function :html_escape_once

activesupport/lib/active_support/core_ext/string/output_safety.rb

@@ -196,14 +196,14 @@ def #{unsafe_method}!(*args, &block)            # def gsub!(*args, &block)
 
     private
       def explicit_html_escape_interpolated_argument(arg)
-        (!html_safe? || arg.html_safe?) ? arg : CGI.escapeHTML(arg.to_s)
+        (!html_safe? || arg.html_safe?) ? arg : ERB::Util.unwrapped_html_escape(arg)
       end
 
       def implicit_html_escape_interpolated_argument(arg)
         if !html_safe? || arg.html_safe?
           arg
         else
-          CGI.escapeHTML(arg.to_str)
+          ERB::Util.unwrapped_html_escape(arg.to_str)
         end
       end
 

activesupport/test/core_ext/string_ext_test.rb

@@ -1102,12 +1102,6 @@ def to_s
     assert_equal expected, ERB::Util.html_escape(string)
   end
 
-  test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do
-    string = "\251 <"
-    expected = "© &lt;"
-    assert_equal expected, ERB::Util.html_escape(string)
-  end
-
   test "ERB::Util.html_escape should not escape safe strings" do
     string = "<b>hello</b>".html_safe
     assert_equal string, ERB::Util.html_escape(string)
@@ -1121,12 +1115,6 @@ def to_s
     assert_equal escaped_string, ERB::Util.html_escape_once(escaped_string)
   end
 
-  test "ERB::Util.html_escape_once should correctly handle invalid UTF-8 strings" do
-    string = "\251 <"
-    expected = "© &lt;"
-    assert_equal expected, ERB::Util.html_escape_once(string)
-  end
-
   test "ERB::Util.xml_name_escape should escape unsafe characters for XML names" do
     unsafe_char = ">"
     safe_char = "Á"

railties/lib/rails/info.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
-require "cgi/escape"
-require "cgi/util" if RUBY_VERSION < "3.5"
+require "active_support/core_ext/erb/util"
 
 module Rails
   # This module helps build the runtime properties that are displayed in
@@ -44,11 +43,11 @@ def to_s
       def to_html
         (+"<table>").tap do |table|
           properties.each do |(name, value)|
-            table << %(<tr><td class="name">#{CGI.escapeHTML(name.to_s)}</td>)
+            table << %(<tr><td class="name">#{ERB::Util.html_escape(name.to_s)}</td>)
             formatted_value = if value.kind_of?(Array)
-              "<ul>" + value.map { |v| "<li>#{CGI.escapeHTML(v.to_s)}</li>" }.join + "</ul>"
+              "<ul>" + value.map { |v| "<li>#{ERB::Util.html_escape(v.to_s)}</li>" }.join + "</ul>"
             else
-              CGI.escapeHTML(value.to_s)
+              ERB::Util.html_escape(value.to_s)
             end
             table << %(<td class="value">#{formatted_value}</td></tr>)
           end