For performance reasons, you can no longer call html_safe! on Strings. Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self).

  * Additionally, instead of doing concat("</form>".html_safe), you can do
    safe_concat("</form>"), which will skip both the flag set, and the flag
    check.
  * For the first pass, I converted virtually all #html_safe!s to #html_safe,
    and the tests pass. A further optimization would be to try to use
    #safe_concat as much as possible, reducing the performance impact if
    we know up front that a String is safe.

2 files changed, 86 insertions, 21 deletions

diff --git a/activesupport/lib/active_support.rb b/activesupport/lib/active_support.rb
index 833ae351b9..ae31d191c0 100644
--- a/activesupport/lib/active_support.rb
+++ b/activesupport/lib/active_support.rb
@@ -67,5 +67,6 @@ module ActiveSupport
     autoload :XmlMini
   end
 
+  autoload :SafeBuffer, "active_support/core_ext/string/output_safety"
   autoload :TestCase
 end
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index ceed90ce79..3977971e8d 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -1,3 +1,53 @@
+require "erb"
+
+class ERB
+  module Util
+    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;' }
+    JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
+
+    # A utility method for escaping HTML tag characters.
+    # This method is also aliased as <tt>h</tt>.
+    #
+    # In your ERb templates, use this method to escape any unsafe content. For example:
+    #   <%=h @person.name %>
+    #
+    # ==== Example:
+    #   puts html_escape("is a > 0 & a < 10?")
+    #   # => is a &gt; 0 &amp; a &lt; 10?
+    def html_escape(s)
+      s = s.to_s
+      if s.html_safe?
+        s
+      else
+        s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
+      end
+    end
+
+    undef :h
+    alias h html_escape
+
+    module_function :html_escape
+    module_function :h
+
+    # A utility method for escaping HTML entities in JSON strings.
+    # This method is also aliased as <tt>j</tt>.
+    #
+    # In your ERb templates, use this method to escape any HTML entities:
+    #   <%=j @person.to_json %>
+    #
+    # ==== Example:
+    #   puts json_escape("is a > 0 & a < 10?")
+    #   # => is a \u003E 0 \u0026 a \u003C 10?
+    def json_escape(s)
+      s.to_s.gsub(/[&"><]/) { |special| JSON_ESCAPE[special] }
+    end
+
+    alias j json_escape
+    module_function :j
+    module_function :json_escape
+  end
+end
+
 class Object
   def html_safe?
     false
@@ -10,32 +60,46 @@ class Fixnum
   end
 end
 
-class String
-  attr_accessor :_rails_html_safe
-  alias html_safe? _rails_html_safe
+module ActiveSupport #:nodoc:
+  class SafeBuffer < String
+    alias safe_concat concat
 
-  def html_safe!
-    @_rails_html_safe = true
-    self
-  end
+    def concat(value)
+      if value.html_safe?
+        super(value)
+      else
+        super(ERB::Util.h(value))
+      end
+    end
 
-  def html_safe
-    dup.html_safe!
-  end
+    def +(other)
+      dup.concat(other)
+    end
+
+    def <<(value)
+      self.concat(value)
+    end
+
+    def html_safe?
+      true
+    end
+
+    def html_safe
+      self
+    end
 
-  alias original_plus +
-  def +(other)
-    result = original_plus(other)
-    result._rails_html_safe = html_safe? && other.html_safe?
-    result
+    def to_s
+      self
+    end
   end
+end
 
-  alias original_concat <<
-  alias safe_concat <<
-  def <<(other)
-    @_rails_html_safe = false unless other.html_safe?
-    result = original_concat(other)
+class String
+  def html_safe!
+    raise "You can't call html_safe! on a String"
   end
 
-  alias concat <<
+  def html_safe
+    ActiveSupport::SafeBuffer.new(self)
+  end
 end
\ No newline at end of file