Call html_escape in ERB::Util module and don't mix it in in the helpers

7 files changed, 24 insertions, 20 deletions

diff --git a/actionpack/lib/action_view/helpers/asset_tag_helper.rb b/actionpack/lib/action_view/helpers/asset_tag_helper.rb
index d0f91f6b71..a728fde748 100644
--- a/actionpack/lib/action_view/helpers/asset_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/asset_tag_helper.rb
@@ -4,6 +4,7 @@ require 'action_view/helpers/url_helper'
 require 'action_view/helpers/tag_helper'
 require 'active_support/core_ext/file'
 require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/string/output_safety'
 
 module ActionView
   # = Action View Asset Tag Helpers
@@ -819,7 +820,7 @@ module ActionView
         end
 
         def stylesheet_tag(source, options)
-          tag("link", { "rel" => "stylesheet", "type" => Mime::CSS, "media" => "screen", "href" => html_escape(path_to_stylesheet(source)) }.merge(options), false, false)
+          tag("link", { "rel" => "stylesheet", "type" => Mime::CSS, "media" => "screen", "href" => ERB::Util.html_escape(path_to_stylesheet(source)) }.merge(options), false, false)
         end
 
         def compute_javascript_paths(*args)
diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb
index b34a74788e..d6e175c7e8 100644
--- a/actionpack/lib/action_view/helpers/form_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_helper.rb
@@ -5,6 +5,7 @@ require 'action_view/helpers/form_tag_helper'
 require 'active_support/core_ext/class/inheritable_attributes'
 require 'active_support/core_ext/hash/slice'
 require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/string/output_safety'
 
 module ActionView
   # = Action View Form Helpers
@@ -907,7 +908,7 @@ module ActionView
         end
         options["type"]  ||= field_type
         options["value"] = options.fetch("value"){ value_before_type_cast(object) } unless field_type == "file"
-        options["value"] &&= html_escape(options["value"])
+        options["value"] &&= ERB::Util.html_escape(options["value"])
         add_default_name_and_id(options)
         tag("input", options)
       end
@@ -943,7 +944,7 @@ module ActionView
           options["cols"], options["rows"] = size.split("x") if size.respond_to?(:split)
         end
 
-        content_tag("textarea", html_escape(options.delete('value') || value_before_type_cast(object)), options)
+        content_tag("textarea", ERB::Util.html_escape(options.delete('value') || value_before_type_cast(object)), options)
       end
 
       def to_check_box_tag(options = {}, checked_value = "1", unchecked_value = "0")
diff --git a/actionpack/lib/action_view/helpers/form_options_helper.rb b/actionpack/lib/action_view/helpers/form_options_helper.rb
index 7ead0599f3..6ac8577785 100644
--- a/actionpack/lib/action_view/helpers/form_options_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_options_helper.rb
@@ -2,6 +2,7 @@ require 'cgi'
 require 'erb'
 require 'action_view/helpers/form_helper'
 require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/string/output_safety'
 
 module ActionView
   # = Action View Form Option Helpers
@@ -100,7 +101,6 @@ module ActionView
     #
     module FormOptionsHelper
       # ERB::Util can mask some helpers like textilize. Make sure to include them.
-      include ERB::Util
       include TextHelper
 
       # Create a select tag and a series of contained option tags for the provided object and method.
@@ -306,7 +306,7 @@ module ActionView
           text, value = option_text_and_value(element).map(&:to_s)
           selected_attribute = ' selected="selected"' if option_value_selected?(value, selected)
           disabled_attribute = ' disabled="disabled"' if disabled && option_value_selected?(value, disabled)
-          %(<option value="#{html_escape(value)}"#{selected_attribute}#{disabled_attribute}#{html_attributes}>#{html_escape(text)}</option>)
+          %(<option value="#{ERB::Util.html_escape(value)}"#{selected_attribute}#{disabled_attribute}#{html_attributes}>#{ERB::Util.html_escape(text)}</option>)
         end.join("\n").html_safe
 
       end
@@ -396,7 +396,7 @@ module ActionView
       def option_groups_from_collection_for_select(collection, group_method, group_label_method, option_key_method, option_value_method, selected_key = nil)
         collection.map do |group|
           group_label_string = eval("group.#{group_label_method}")
-          "<optgroup label=\"#{html_escape(group_label_string)}\">" +
+          "<optgroup label=\"#{ERB::Util.html_escape(group_label_string)}\">" +
             options_from_collection_for_select(eval("group.#{group_method}"), option_key_method, option_value_method, selected_key) +
             '</optgroup>'
         end.join.html_safe
@@ -501,7 +501,7 @@ module ActionView
           return "" unless Array === element
           html_attributes = []
           element.select { |e| Hash === e }.reduce({}, :merge).each do |k, v|
-            html_attributes << " #{k}=\"#{html_escape(v.to_s)}\""
+            html_attributes << " #{k}=\"#{ERB::Util.html_escape(v.to_s)}\""
           end
           html_attributes.join
         end
@@ -595,11 +595,11 @@ module ActionView
       private
         def add_options(option_tags, options, value = nil)
           if options[:include_blank]
-            option_tags = "<option value=\"\">#{html_escape(options[:include_blank]) if options[:include_blank].kind_of?(String)}</option>\n" + option_tags
+            option_tags = "<option value=\"\">#{ERB::Util.html_escape(options[:include_blank]) if options[:include_blank].kind_of?(String)}</option>\n" + option_tags
           end
           if value.blank? && options[:prompt]
             prompt = options[:prompt].kind_of?(String) ? options[:prompt] : I18n.translate('helpers.select.prompt', :default => 'Please select')
-            option_tags = "<option value=\"\">#{html_escape(prompt)}</option>\n" + option_tags
+            option_tags = "<option value=\"\">#{ERB::Util.html_escape(prompt)}</option>\n" + option_tags
           end
           option_tags.html_safe
         end
diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index ae83b6bf39..92645f5cf9 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -1,6 +1,7 @@
 require 'cgi'
 require 'action_view/helpers/tag_helper'
 require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/string/output_safety'
 
 module ActionView
   # = Action View Form Tag Helpers
@@ -287,7 +288,7 @@ module ActionView
         end
 
         escape = options.key?("escape") ? options.delete("escape") : true
-        content = html_escape(content) if escape
+        content = ERB::Util.html_escape(content) if escape
 
         content_tag :textarea, content.to_s.html_safe, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
       end
diff --git a/actionpack/lib/action_view/helpers/prototype_helper.rb b/actionpack/lib/action_view/helpers/prototype_helper.rb
index 41cd8d5171..f3a429fcce 100644
--- a/actionpack/lib/action_view/helpers/prototype_helper.rb
+++ b/actionpack/lib/action_view/helpers/prototype_helper.rb
@@ -1,6 +1,7 @@
 require 'set'
 require 'active_support/json'
 require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/string/output_safety'
 
 module ActionView
   # = Action View Prototype Helpers
@@ -131,7 +132,7 @@ module ActionView
 
         url_options = options[:url]
         url_options = url_options.merge(:escape => false) if url_options.is_a?(Hash)
-        function << "'#{html_escape(escape_javascript(url_for(url_options)))}'"
+        function << "'#{ERB::Util.html_escape(escape_javascript(url_for(url_options)))}'"
         function << ", #{javascript_options})"
 
         function = "#{options[:before]}; #{function}" if options[:before]
diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
index 48c65acace..7dd3a27a5d 100644
--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -1,4 +1,5 @@
 require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/string/output_safety'
 require 'set'
 
 module ActionView
@@ -7,8 +8,6 @@ module ActionView
     # Provides methods to generate HTML tags programmatically when you can't use
     # a Builder. By default, they output XHTML compliant tags.
     module TagHelper
-      include ERB::Util
-
       extend ActiveSupport::Concern
       include CaptureHelper
 
@@ -130,14 +129,14 @@ module ActionView
                   if !v.is_a?(String) && !v.is_a?(Symbol)
                     v = v.to_json
                   end
-                  v = html_escape(v) if escape
+                  v = ERB::Util.html_escape(v) if escape
                   attrs << %(data-#{k.to_s.dasherize}="#{v}")
                 end
               elsif BOOLEAN_ATTRIBUTES.include?(key)
                 attrs << %(#{key}="#{key}") if value
               elsif !value.nil?
                 final_value = value.is_a?(Array) ? value.join(" ") : value
-                final_value = html_escape(final_value) if escape
+                final_value = ERB::Util.html_escape(final_value) if escape
                 attrs << %(#{key}="#{final_value}")
               end
             end
diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index c007cac47f..c23315b344 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -1,6 +1,7 @@
 require 'action_view/helpers/javascript_helper'
 require 'active_support/core_ext/array/access'
 require 'active_support/core_ext/hash/keys'
+require 'active_support/core_ext/string/output_safety'
 require 'action_dispatch'
 
 module ActionView
@@ -240,8 +241,8 @@ module ActionView
           href = html_options['href']
           tag_options = tag_options(html_options)
 
-          href_attr = "href=\"#{html_escape(url)}\"" unless href
-          "<a #{href_attr}#{tag_options}>#{html_escape(name || url)}</a>".html_safe
+          href_attr = "href=\"#{ERB::Util.html_escape(url)}\"" unless href
+          "<a #{href_attr}#{tag_options}>#{ERB::Util.html_escape(name || url)}</a>".html_safe
         end
       end
 
@@ -326,7 +327,7 @@ module ActionView
 
         html_options.merge!("type" => "submit", "value" => name)
 
-        ("<form method=\"#{form_method}\" action=\"#{html_escape(url)}\" #{"data-remote=\"true\"" if remote} class=\"button_to\"><div>" +
+        ("<form method=\"#{form_method}\" action=\"#{ERB::Util.html_escape(url)}\" #{"data-remote=\"true\"" if remote} class=\"button_to\"><div>" +
           method_tag + tag("input", html_options) + request_token_tag + "</div></form>").html_safe
       end
 
@@ -472,7 +473,7 @@ module ActionView
       #            :subject => "This is an example email"
       #   # => <a href="mailto:me@domain.com?cc=ccaddress@domain.com&subject=This%20is%20an%20example%20email">My email</a>
       def mail_to(email_address, name = nil, html_options = {})
-        email_address = html_escape(email_address)
+        email_address = ERB::Util.html_escape(email_address)
 
         html_options = html_options.stringify_keys
         encode = html_options.delete("encode").to_s
@@ -481,7 +482,7 @@ module ActionView
           option = html_options.delete(item) || next
           "#{item}=#{Rack::Utils.escape(option).gsub("+", "%20")}"
         }.compact
-        extras = extras.empty? ? '' : '?' + html_escape(extras.join('&'))
+        extras = extras.empty? ? '' : '?' + ERB::Util.html_escape(extras.join('&'))
 
         email_address_obfuscated = email_address.dup
         email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.key?("replace_at")