Move escape_once logic to ERB::Util, where it belongs to

All the logic is based on the HTML_ESCAPE constant available in
ERB::Util, so it seems more logic to have the entire method there and
just delegate the helper to use it.

2 files changed, 15 insertions, 1 deletions

diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
index d7a2651bad..ecd26891d6 100644
--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -118,7 +118,7 @@ module ActionView
       #   escape_once("<< Accept & Checkout")
       #   # => "<< Accept & Checkout"
       def escape_once(html)
-        html.to_s.gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
+        ERB::Util.html_escape_once(html)
       end
 
       private
diff --git a/actionpack/test/template/erb_util_test.rb b/actionpack/test/template/erb_util_test.rb
index eba2ef64e0..ca2710e9b3 100644
--- a/actionpack/test/template/erb_util_test.rb
+++ b/actionpack/test/template/erb_util_test.rb
@@ -44,4 +44,18 @@ class ErbUtilTest < ActiveSupport::TestCase
       assert_equal chr, html_escape(chr)
     end
   end
+
+  def test_html_escape_once
+    assert_equal '1 &lt; 2 &amp; 3', html_escape_once('1 < 2 &amp; 3')
+  end
+
+  def test_html_escape_once_returns_unsafe_strings_when_passed_unsafe_strings
+    value = html_escape_once('1 < 2 &amp; 3')
+    assert !value.html_safe?
+  end
+
+  def test_html_escape_once_returns_safe_strings_when_passed_safe_strings
+    value = html_escape_once('1 < 2 &amp; 3'.html_safe)
+    assert value.html_safe?
+  end
 end