4 files changed, 84 insertions, 27 deletions

diff --git a/activesupport/lib/active_support/core_ext/string/access.rb b/activesupport/lib/active_support/core_ext/string/access.rb
index 6018fd9641..ebd0dd3fc7 100644
--- a/activesupport/lib/active_support/core_ext/string/access.rb
+++ b/activesupport/lib/active_support/core_ext/string/access.rb
@@ -64,7 +64,7 @@ class String
 
   # Returns the first character. If a limit is supplied, returns a substring
   # from the beginning of the string until it reaches the limit value. If the
-  # given limit is greater than or equal to the string length, returns self.
+  # given limit is greater than or equal to the string length, returns a copy of self.
   #
   #   str = "hello"
   #   str.first    # => "h"
@@ -76,7 +76,7 @@ class String
     if limit == 0
       ''
     elsif limit >= size
-      self
+      self.dup
     else
       to(limit - 1)
     end
@@ -84,7 +84,7 @@ class String
 
   # Returns the last character of the string. If a limit is supplied, returns a substring
   # from the end of the string until it reaches the limit value (counting backwards). If
-  # the given limit is greater than or equal to the string length, returns self.
+  # the given limit is greater than or equal to the string length, returns a copy of self.
   #
   #   str = "hello"
   #   str.last    # => "o"
@@ -96,7 +96,7 @@ class String
     if limit == 0
       ''
     elsif limit >= size
-      self
+      self.dup
     else
       from(-limit)
     end
diff --git a/activesupport/lib/active_support/core_ext/string/filters.rb b/activesupport/lib/active_support/core_ext/string/filters.rb
index 49c0df6026..096292dc58 100644
--- a/activesupport/lib/active_support/core_ext/string/filters.rb
+++ b/activesupport/lib/active_support/core_ext/string/filters.rb
@@ -3,7 +3,7 @@ class String
   # the string, and then changing remaining consecutive whitespace
   # groups into one space each.
   #
-  # Note that it handles both ASCII and Unicode whitespace like mongolian vowel separator (U+180E).
+  # Note that it handles both ASCII and Unicode whitespace.
   #
   #   %{ Multi-line
   #      string }.squish                   # => "Multi-line string"
@@ -13,6 +13,9 @@ class String
   end
 
   # Performs a destructive squish. See String#squish.
+  #   str = " foo   bar    \n   \t   boo"
+  #   str.squish!                         # => "foo bar boo"
+  #   str                                 # => "foo bar boo"
   def squish!
     gsub!(/\A[[:space:]]+/, '')
     gsub!(/[[:space:]]+\z/, '')
@@ -20,14 +23,24 @@ class String
     self
   end
 
-  # Returns a new string with all occurrences of the pattern removed. Short-hand for String#gsub(pattern, '').
-  def remove(pattern)
-    gsub pattern, ''
+  # Returns a new string with all occurrences of the patterns removed.
+  #   str = "foo bar test"
+  #   str.remove(" test")                 # => "foo bar"
+  #   str                                 # => "foo bar test"
+  def remove(*patterns)
+    dup.remove!(*patterns)
   end
 
-  # Alters the string by removing all occurrences of the pattern. Short-hand for String#gsub!(pattern, '').
-  def remove!(pattern)
-    gsub! pattern, ''
+  # Alters the string by removing all occurrences of the patterns.
+  #   str = "foo bar test"
+  #   str.remove!(" test")                 # => "foo bar"
+  #   str                                  # => "foo bar"
+  def remove!(*patterns)
+    patterns.each do |pattern|
+      gsub! pattern, ""
+    end
+
+    self
   end
 
   # Truncates a given +text+ after a given <tt>length</tt> if +text+ is longer than <tt>length</tt>:
@@ -62,4 +75,28 @@ class String
 
     "#{self[0, stop]}#{omission}"
   end
+
+  # Truncates a given +text+ after a given number of words (<tt>words_count</tt>):
+  #
+  #   'Once upon a time in a world far far away'.truncate_words(4)
+  #   # => "Once upon a time..."
+  #
+  # Pass a string or regexp <tt>:separator</tt> to specify a different separator of words:
+  #
+  #   'Once<br>upon<br>a<br>time<br>in<br>a<br>world'.truncate_words(5, separator: '<br>')
+  #   # => "Once<br>upon<br>a<br>time<br>in..."
+  #
+  # The last characters will be replaced with the <tt>:omission</tt> string (defaults to "..."):
+  #
+  #   'And they found that many people were sleeping better.'.truncate_words(5, omission: '... (continued)')
+  #   # => "And they found that many... (continued)"
+  def truncate_words(words_count, options = {})
+    sep = options[:separator] || /\s+/
+    sep = Regexp.escape(sep.to_s) unless Regexp === sep
+    if self =~ /\A((?:.+?#{sep}){#{words_count - 1}}.+?)#{sep}.*/m
+      $1 + (options[:omission] || '...')
+    else
+      dup
+    end
+  end
 end
diff --git a/activesupport/lib/active_support/core_ext/string/inflections.rb b/activesupport/lib/active_support/core_ext/string/inflections.rb
index cf9b1a4ec0..38d567c014 100644
--- a/activesupport/lib/active_support/core_ext/string/inflections.rb
+++ b/activesupport/lib/active_support/core_ext/string/inflections.rb
@@ -31,7 +31,7 @@ class String
   def pluralize(count = nil, locale = :en)
     locale = count if count.is_a?(Symbol)
     if count == 1
-      self
+      self.dup
     else
       ActiveSupport::Inflector.pluralize(self, locale)
     end
@@ -130,6 +130,8 @@ class String
   #
   #   'ActiveRecord::CoreExtensions::String::Inflections'.demodulize # => "Inflections"
   #   'Inflections'.demodulize                                       # => "Inflections"
+  #   '::Inflections'.demodulize                                     # => "Inflections"
+  #   ''.demodulize                                                  # => ''
   #
   # See also +deconstantize+.
   def demodulize
@@ -197,6 +199,7 @@ class String
   #   'employee_salary'.humanize              # => "Employee salary"
   #   'author_id'.humanize                    # => "Author"
   #   'author_id'.humanize(capitalize: false) # => "author"
+  #   '_id'.humanize                          # => "Id"
   def humanize(options = {})
     ActiveSupport::Inflector.humanize(self, options)
   end
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index eb02b6a442..ba8d4acd6d 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -6,7 +6,7 @@ class ERB
     HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#39;' }
     JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c', "\u2028" => '\u2028', "\u2029" => '\u2029' }
     HTML_ESCAPE_REGEXP = /[&"'><]/
-    HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/
+    HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
     JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
 
     # A utility method for escaping HTML tag characters.
@@ -18,12 +18,7 @@ class ERB
     #   puts html_escape('is a > 0 & a < 10?')
     #   # => is a &gt; 0 &amp; a &lt; 10?
     def html_escape(s)
-      s = s.to_s
-      if s.html_safe?
-        s
-      else
-        s.gsub(HTML_ESCAPE_REGEXP, HTML_ESCAPE).html_safe
-      end
+      unwrapped_html_escape(s).html_safe
     end
 
     # Aliasing twice issues a warning "discarding old...". Remove first to avoid it.
@@ -35,6 +30,18 @@ class ERB
     singleton_class.send(:remove_method, :html_escape)
     module_function :html_escape
 
+    # HTML escapes strings but doesn't wrap them with an ActiveSupport::SafeBuffer.
+    # This method is not for public consumption! Seriously!
+    def unwrapped_html_escape(s) # :nodoc:
+      s = s.to_s
+      if s.html_safe?
+        s
+      else
+        s.gsub(HTML_ESCAPE_REGEXP, HTML_ESCAPE)
+      end
+    end
+    module_function :unwrapped_html_escape
+
     # A utility method for escaping HTML without affecting existing escaped entities.
     #
     #   html_escape_once('1 < 2 &amp; 3')
@@ -124,7 +131,7 @@ module ActiveSupport #:nodoc:
   class SafeBuffer < String
     UNSAFE_STRING_METHODS = %w(
       capitalize chomp chop delete downcase gsub lstrip next reverse rstrip
-      slice squeeze strip sub succ swapcase tr tr_s upcase prepend
+      slice squeeze strip sub succ swapcase tr tr_s upcase
     )
 
     alias_method :original_concat, :concat
@@ -142,7 +149,11 @@ module ActiveSupport #:nodoc:
       else
         if html_safe?
           new_safe_buffer = super
-          new_safe_buffer.instance_eval { @html_safe = true }
+
+          if new_safe_buffer
+            new_safe_buffer.instance_variable_set :@html_safe, true
+          end
+
           new_safe_buffer
         else
           to_str[*args]
@@ -170,14 +181,14 @@ module ActiveSupport #:nodoc:
     end
 
     def concat(value)
-      if !html_safe? || value.html_safe?
-        super(value)
-      else
-        super(ERB::Util.h(value))
-      end
+      super(html_escape_interpolated_argument(value))
     end
     alias << concat
 
+    def prepend(value)
+      super(html_escape_interpolated_argument(value))
+    end
+
     def +(other)
       dup.concat(other)
     end
@@ -227,12 +238,18 @@ module ActiveSupport #:nodoc:
     private
 
     def html_escape_interpolated_argument(arg)
-      (!html_safe? || arg.html_safe?) ? arg : ERB::Util.h(arg)
+      (!html_safe? || arg.html_safe?) ? arg :
+        arg.to_s.gsub(ERB::Util::HTML_ESCAPE_REGEXP, ERB::Util::HTML_ESCAPE)
     end
   end
 end
 
 class String
+  # Marks a string as trusted safe. It will be inserted into HTML with no
+  # additional escaping performed. It is your responsibilty to ensure that the
+  # string contains no malicious content. This method is equivalent to the
+  # `raw` helper in views. It is recommended that you use `sanitize` instead of
+  # this method. It should never be called on user input.
   def html_safe
     ActiveSupport::SafeBuffer.new(self)
   end