Merge pull request #18236 from vipulnsward/dont-eval-frozen

Fix html_safe string access modifying frozen values

2 files changed, 12 insertions, 1 deletions

diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index ba92afd5f4..24d0f9319f 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -150,7 +150,9 @@ module ActiveSupport #:nodoc:
       else
         if html_safe?
           new_safe_buffer = super
-          new_safe_buffer.instance_variable_set :@html_safe, true
+          unless new_safe_buffer.respond_to?(:frozen?) && new_safe_buffer.frozen?
+            new_safe_buffer.instance_variable_set :@html_safe, true
+          end
           new_safe_buffer
         else
           to_str[*args]
diff --git a/activesupport/test/safe_buffer_test.rb b/activesupport/test/safe_buffer_test.rb
index efa9d5e61f..fca4b45276 100644
--- a/activesupport/test/safe_buffer_test.rb
+++ b/activesupport/test/safe_buffer_test.rb
@@ -165,4 +165,13 @@ class SafeBufferTest < ActiveSupport::TestCase
     x = 'foo %{x} bar'.html_safe % { x: 'qux' }
     assert x.html_safe?, 'should be safe'
   end
+
+  test 'Should not affect frozen objects when accessing characters' do
+    x = 'Hello'.html_safe
+    assert_nothing_raised do
+      x[/a/, 1]
+    end
+  end
+
+
 end