[ruby] Use ERB::Escape for html escaping (#10176)

p8 · eastspire · web-flow · commit 5b03eb973ce7 · 2025-10-14T10:12:52.000-07:00
It should be slight faster as it doesn't allocate a new string when nothing needs to be escaped. https://github.com/ruby/erb/blob/6a5729b7e291e30432f3955e443cc3e6c9215b60/ext/erb/escape/escape.c Also Rack::Utils delegates to ERB if it's present. Co-authored-by: 尤雨东 <root@ltpp.vip>
diff --git a/frameworks/Ruby/agoo/app.rb b/frameworks/Ruby/agoo/app.rb
@@ -127,7 +127,7 @@ def self.call(_req)
     f_2 = f_1.map(&:to_h).
             append({ 'id' => '0', 'message' => 'Additional fortune added at request time.' }).
               sort_by { |item| item['message'] }.
-                map { |f| "<tr><td>#{ f['id'] }</td><td>#{ CGI.escape_html(f['message']) }</td></tr>" }.
+                map { |f| "<tr><td>#{ f['id'] }</td><td>#{ ERB::Escape.html_escape(f['message']) }</td></tr>" }.
                   join
 
     html_response(<<-HTML)
diff --git a/frameworks/Ruby/rack-sequel/hello_world.rb b/frameworks/Ruby/rack-sequel/hello_world.rb
@@ -70,7 +70,7 @@ def fortunes
       html << <<~"HTML"
       <tr>
         <td>#{fortune.id}</td>
-        <td>#{CGI.escape_html(fortune.message)}</td>
+        <td>#{ERB::Escape.html_escape(fortune.message)}</td>
       </tr>
       HTML
     end
diff --git a/frameworks/Ruby/rack/hello_world.rb b/frameworks/Ruby/rack/hello_world.rb
@@ -58,7 +58,7 @@ def fortunes
     buffer << TEMPLATE_PREFIX
 
     fortunes.each do |item|
-      buffer << "<tr><td>#{item[:id]}</td><td>#{Rack::Utils.escape_html(item[:message])}</td></tr>"
+      buffer << "<tr><td>#{item[:id]}</td><td>#{ERB::Escape.html_escape(item[:message])}</td></tr>"
     end
     buffer << TEMPLATE_POSTFIX
   end
diff --git a/frameworks/Ruby/sinatra-sequel/views/fortunes.erb b/frameworks/Ruby/sinatra-sequel/views/fortunes.erb
@@ -6,7 +6,7 @@
 <% @fortunes.each do |fortune| %>
 <tr>
   <td><%= fortune.id %></td>
-  <td><%= CGI.escape_html(fortune.message) %></td>
+  <td><%= ERB::Escape.html_escape(fortune.message) %></td>
 </tr>
 <% end %>
 </table>
diff --git a/frameworks/Ruby/sinatra/views/fortunes.erb b/frameworks/Ruby/sinatra/views/fortunes.erb
@@ -6,7 +6,7 @@
 <% @fortunes.each do |fortune| %>
 <tr>
   <td><%= fortune.id %></td>
-  <td><%= CGI.escape_html(fortune.message) %></td>
+  <td><%= ERB::Escape.html_escape(fortune.message) %></td>
 </tr>
 <% end %>
 </table>
