Consistently use ERB::Util.html_escape over CGI.escapeHTML

byroot · byroot · commit b76da429cf70 · 2025-08-08T11:36:58.000+02:00
The ERB method save on duping the string if there's nothing to
escape, which is more often than not the case.
diff --git a/actionpack/test/dispatch/debug_exceptions_test.rb b/actionpack/test/dispatch/debug_exceptions_test.rb
@@ -402,7 +402,7 @@ def self.build_app(app, *args)
       "action_dispatch.parameter_filter" => [:foo] }
     assert_response 500
 
-    assert_match(CGI.escape_html({ "foo" => "[FILTERED]" }.inspect[1..-2]), body)
+    assert_match(ERB::Util.html_escape({ "foo" => "[FILTERED]" }.inspect[1..-2]), body)
   end
 
   test "show registered original exception if the last exception is TemplateError" do
@@ -466,7 +466,7 @@ def self.build_app(app, *args)
     })
     assert_response 500
 
-    assert_includes(body, CGI.escapeHTML(PP.pp(params, +"", 200)))
+    assert_includes(body, ERB::Util.html_escape(PP.pp(params, +"", 200)))
   end
 
   test "sets the HTTP charset parameter" do
diff --git a/actionview/lib/action_view/buffers.rb b/actionview/lib/action_view/buffers.rb
@@ -45,7 +45,7 @@ def <<(value)
         @raw_buffer << if value.html_safe?
           value
         else
-          CGI.escapeHTML(value)
+          ERB::Util.unwrapped_html_escape(value)
         end
       end
       self
diff --git a/actionview/lib/action_view/helpers/form_helper.rb b/actionview/lib/action_view/helpers/form_helper.rb
@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi/escape"
-require "cgi/util" if RUBY_VERSION < "3.5"
 require "action_view/helpers/date_helper"
 require "action_view/helpers/url_helper"
 require "action_view/helpers/form_tag_helper"
diff --git a/actionview/lib/action_view/helpers/form_options_helper.rb b/actionview/lib/action_view/helpers/form_options_helper.rb
@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi/escape"
-require "cgi/util" if RUBY_VERSION < "3.5"
 require "erb"
 require "active_support/core_ext/string/output_safety"
 require "active_support/core_ext/array/extract_options"
diff --git a/actionview/lib/action_view/helpers/form_tag_helper.rb b/actionview/lib/action_view/helpers/form_tag_helper.rb
@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi/escape"
-require "cgi/util" if RUBY_VERSION < "3.5"
 require "action_view/helpers/content_exfiltration_prevention_helper"
 require "action_view/helpers/url_helper"
 require "action_view/helpers/text_helper"
diff --git a/actionview/test/template/form_tag_helper_test.rb b/actionview/test/template/form_tag_helper_test.rb
@@ -581,7 +581,7 @@ def test_text_field_tag_size_symbol
 
   def test_text_field_tag_with_ac_parameters
     actual = text_field_tag "title", ActionController::Parameters.new(key: "value")
-    value = CGI.escapeHTML({ "key" => "value" }.inspect)
+    value = ERB::Util.html_escape({ "key" => "value" }.inspect)
     expected = %(<input id="title" name="title" type="text" value="#{value}" />)
     assert_dom_equal expected, actual
   end
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -196,14 +196,14 @@ def #{unsafe_method}!(*args, &block)            # def gsub!(*args, &block)
 
     private
       def explicit_html_escape_interpolated_argument(arg)
-        (!html_safe? || arg.html_safe?) ? arg : CGI.escapeHTML(arg.to_s)
+        (!html_safe? || arg.html_safe?) ? arg : ERB::Util.unwrapped_html_escape(arg)
       end
 
       def implicit_html_escape_interpolated_argument(arg)
         if !html_safe? || arg.html_safe?
           arg
         else
-          CGI.escapeHTML(arg.to_str)
+          ERB::Util.unwrapped_html_escape(arg.to_str)
         end
       end
 
diff --git a/railties/lib/rails/info.rb b/railties/lib/rails/info.rb
@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
-require "cgi/escape"
-require "cgi/util" if RUBY_VERSION < "3.5"
+require "active_support/core_ext/erb/util"
 
 module Rails
   # This module helps build the runtime properties that are displayed in
@@ -44,11 +43,11 @@ def to_s
       def to_html
         (+"<table>").tap do |table|
           properties.each do |(name, value)|
-            table << %(<tr><td class="name">#{CGI.escapeHTML(name.to_s)}</td>)
+            table << %(<tr><td class="name">#{ERB::Util.html_escape(name.to_s)}</td>)
             formatted_value = if value.kind_of?(Array)
-              "<ul>" + value.map { |v| "<li>#{CGI.escapeHTML(v.to_s)}</li>" }.join + "</ul>"
+              "<ul>" + value.map { |v| "<li>#{ERB::Util.html_escape(v.to_s)}</li>" }.join + "</ul>"
             else
-              CGI.escapeHTML(value.to_s)
+              ERB::Util.html_escape(value.to_s)
             end
             table << %(<td class="value">#{formatted_value}</td></tr>)
           end
diff --git a/railties/test/rails_info_test.rb b/railties/test/rails_info_test.rb
@@ -39,7 +39,7 @@ def test_html_includes_middleware
     html = Rails::Info.to_html
     assert_includes html, '<tr><td class="name">Middleware</td>'
     properties.value_for("Middleware").each do |value|
-      assert_includes html, "<li>#{CGI.escapeHTML(value)}</li>"
+      assert_includes html, "<li>#{ERB::Util.html_escape(value)}</li>"
     end
   end
 
diff --git a/tools/preview_docs.rb b/tools/preview_docs.rb
@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
-require "erb"
-require "cgi/escape"
-require "cgi/util" if RUBY_VERSION < "3.5"
+require "active_support/core_ext/string/output_safety"
 
 # How to test:
 #
@@ -41,9 +39,10 @@ def link_to(name, url)
     "<a href=\"#{escape(url)}\">#{escape(name)}</a>"
   end
 
-  def escape(str)
-    CGI.escapeHTML(str)
-  end
+  private
+    def escape(str)
+      ERB::Util.html_escape(str)
+    end
 end
 
 module EnvVars
