Restore performance of ERB::Util.html_escape

Revert html_escape to do a single gsub again, but add the "n" flag (no
language, i.e. not multi-byte) to protect against XSS via invalid utf8

Signed-off-by: José Valim <jose.valim@gmail.com>

1 files changed, 17 insertions, 6 deletions

diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
index ade09efc56..47b9f68ed0 100644
--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
@@ -21,12 +21,6 @@ class StringInflectionsTest < Test::Unit::TestCase
   include InflectorTestCases
   include ConstantizeTestCases
 
-  def test_erb_escape
-    string = [192, 60].pack('CC')
-    expected = 192.chr + "&lt;"
-    assert_equal expected, ERB::Util.html_escape(string)
-  end
-
   def test_strip_heredoc_on_an_empty_string
     assert_equal '', ''.strip_heredoc
   end
@@ -497,6 +491,23 @@ class OutputSafetyTest < ActiveSupport::TestCase
     assert string.html_safe?
     assert !string.to_param.html_safe?
   end
+
+  test "ERB::Util.html_escape should escape unsafe characters" do
+    string = '<>&"'
+    expected = '&lt;&gt;&amp;&quot;'
+    assert_equal expected, ERB::Util.html_escape(string)
+  end
+
+  test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do
+    string = [192, 60].pack('CC')
+    expected = 192.chr + "&lt;"
+    assert_equal expected, ERB::Util.html_escape(string)
+  end
+
+  test "ERB::Util.html_escape should not escape safe strings" do
+    string = "<b>hello</b>".html_safe
+    assert_equal string, ERB::Util.html_escape(string)
+  end
 end
 
 class StringExcludeTest < ActiveSupport::TestCase