diff --git a/actionpack/lib/action_controller/failsafe.rb b/actionpack/lib/action_controller/failsafe.rb
index 42ec57025841c..d452913efc3c6 100644
--- a/actionpack/lib/action_controller/failsafe.rb
+++ b/actionpack/lib/action_controller/failsafe.rb
@@ -62,11 +62,11 @@ def failsafe_response_body
# The default 500.html uses the h() method.
def h(text) # :nodoc:
- ERB::Util.h(text)
+ SafeERB::Util.h(text)
end
def render_template(filename)
- ERB.new(File.read(filename)).result(binding)
+ SafeERB.new(File.read(filename)).result(binding)
end
def log_failsafe_exception(exception)
diff --git a/actionpack/lib/action_view/base.rb b/actionpack/lib/action_view/base.rb
index f10a26629a928..9f229d6be6f57 100644
--- a/actionpack/lib/action_view/base.rb
+++ b/actionpack/lib/action_view/base.rb
@@ -160,7 +160,7 @@ def initialize(paths, path, template_format = nil)
#
# See the ActionView::Helpers::PrototypeHelper::GeneratorMethods documentation for more details.
class Base
- include Helpers, Partials, ::ERB::Util
+ include Helpers, Partials, ::SafeERB::Util
extend ActiveSupport::Memoizable
attr_accessor :base_path, :assigns, :template_extension
diff --git a/actionpack/lib/action_view/helpers/active_record_helper.rb b/actionpack/lib/action_view/helpers/active_record_helper.rb
index ed407c9df2c78..fac887ef252f0 100644
--- a/actionpack/lib/action_view/helpers/active_record_helper.rb
+++ b/actionpack/lib/action_view/helpers/active_record_helper.rb
@@ -121,7 +121,7 @@ def error_message_on(object, method, *args)
if (obj = (object.respond_to?(:errors) ? object : instance_variable_get("@#{object}"))) &&
(errors = obj.errors.on(method))
content_tag("div",
- "#{options[:prepend_text]}#{ERB::Util.html_escape(errors.is_a?(Array) ? errors.first : errors)}#{options[:append_text]}".html_safe,
+ "#{options[:prepend_text]}#{SafeERB::Util.html_escape(errors.is_a?(Array) ? errors.first : errors)}#{options[:append_text]}".html_safe,
:class => options[:css_class]
)
else
@@ -198,7 +198,7 @@ def error_messages_for(*params)
locale.t :header, :count => count, :model => object_name
end
message = options.include?(:message) ? options[:message] : locale.t(:body)
- error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, ERB::Util.html_escape(msg)) } }.join.html_safe
+ error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, SafeERB::Util.html_escape(msg)) } }.join.html_safe
contents = ''
contents << content_tag(options[:header_tag] || :h2, header_message) unless header_message.blank?
diff --git a/actionpack/lib/action_view/helpers/form_options_helper.rb b/actionpack/lib/action_view/helpers/form_options_helper.rb
index 6d5acf1726fd7..a720459505129 100644
--- a/actionpack/lib/action_view/helpers/form_options_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_options_helper.rb
@@ -97,7 +97,7 @@ module Helpers
#
#
module FormOptionsHelper
- include ERB::Util
+ include SafeERB::Util
# Create a select tag and a series of contained option tags for the provided object and method.
# The option currently held by the object will be selected, provided that the object is available.
diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
index cdd348aecc4ba..ad46d13abcecd 100644
--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -6,7 +6,7 @@ module Helpers #:nodoc:
# Provides methods to generate HTML tags programmatically when you can't use
# a Builder. By default, they output XHTML compliant tags.
module TagHelper
- include ERB::Util
+ include SafeERB::Util
BOOLEAN_ATTRIBUTES = %w(disabled readonly multiple checked).to_set
BOOLEAN_ATTRIBUTES.merge(BOOLEAN_ATTRIBUTES.map(&:to_sym))
@@ -103,7 +103,7 @@ def cdata_section(content)
# escape_once("<< Accept & Checkout")
# # => "<< Accept & Checkout"
def escape_once(html)
- ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
+ ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| SafeERB::Util::HTML_ESCAPE[special] }
end
private
diff --git a/actionpack/lib/action_view/template_handlers/erb.rb b/actionpack/lib/action_view/template_handlers/erb.rb
index e3120ba267ad2..d34a336df410b 100644
--- a/actionpack/lib/action_view/template_handlers/erb.rb
+++ b/actionpack/lib/action_view/template_handlers/erb.rb
@@ -11,7 +11,7 @@ class ERB < TemplateHandler
self.erb_trim_mode = '-'
def compile(template)
- src = ::ERB.new("<% __in_erb_template=true %>#{template.source}", nil, erb_trim_mode, '@output_buffer').src
+ src = ::SafeERB.new("<% __in_erb_template=true %>#{template.source}", nil, erb_trim_mode, '@output_buffer').src
# Ruby 1.9 prepends an encoding to the source. However this is
# useless because you can only set an encoding on the first line
diff --git a/actionpack/test/controller/output_escaping_test.rb b/actionpack/test/controller/output_escaping_test.rb
index 43a8c05cdaf84..a68d03a511e9f 100644
--- a/actionpack/test/controller/output_escaping_test.rb
+++ b/actionpack/test/controller/output_escaping_test.rb
@@ -3,17 +3,17 @@
class OutputEscapingTest < ActiveSupport::TestCase
test "escape_html shouldn't die when passed nil" do
- assert ERB::Util.h(nil).blank?
+ assert SafeERB::Util.h(nil).blank?
end
test "escapeHTML should escape strings" do
- assert_equal "<>"", ERB::Util.h("<>\"")
+ assert_equal "<>"", SafeERB::Util.h("<>\"")
end
test "escapeHTML shouldn't touch explicitly safe strings" do
# TODO this seems easier to compose and reason about, but
# this should be verified
- assert_equal "<", ERB::Util.h("<".html_safe)
+ assert_equal "<", SafeERB::Util.h("<".html_safe)
end
end
diff --git a/actionpack/test/template/erb_util_test.rb b/actionpack/test/template/erb_util_test.rb
index 06f095470d0f1..c7b416ace4858 100644
--- a/actionpack/test/template/erb_util_test.rb
+++ b/actionpack/test/template/erb_util_test.rb
@@ -1,16 +1,16 @@
require 'abstract_unit'
class ErbUtilTest < Test::Unit::TestCase
- include ERB::Util
+ include SafeERB::Util
- ERB::Util::HTML_ESCAPE.each do |given, expected|
+ SafeERB::Util::HTML_ESCAPE.each do |given, expected|
define_method "test_html_escape_#{expected.gsub /\W/, ''}" do
assert_equal expected, html_escape(given)
end
unless given == '"'
define_method "test_json_escape_#{expected.gsub /\W/, ''}" do
- assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
+ assert_equal SafeERB::Util::JSON_ESCAPE[given], json_escape(given)
end
end
end
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index c200c72240b74..9c0b89a4fc41f 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -1,7 +1,6 @@
require 'erb'
-class ERB
- undef :set_eoutvar
+class SafeERB < ERB
def set_eoutvar(compiler, eoutvar = '_erbout')
compiler.put_cmd = "#{eoutvar}.safe_concat"
compiler.insert_cmd = "#{eoutvar}.safe_concat"
@@ -39,7 +38,6 @@ def html_escape(s)
end
end
- undef :h
alias h html_escape
module_function :html_escape
@@ -84,7 +82,7 @@ def concat(value)
if value.html_safe?
super(value)
else
- super(ERB::Util.h(value))
+ super(SafeERB::Util.h(value))
end
end
alias << concat
diff --git a/railties/guides/rails_guides/generator.rb b/railties/guides/rails_guides/generator.rb
index 6c0d9f3c3b132..e292bcadeaaea 100644
--- a/railties/guides/rails_guides/generator.rb
+++ b/railties/guides/rails_guides/generator.rb
@@ -122,7 +122,7 @@ def textile(body)
def with_workaround_for_notextile(body)
code_blocks = []
body.gsub!(%r{<(yaml|shell|ruby|erb|html|sql|plain)>(.*?)}m) do |m|
- es = ERB::Util.h($2)
+ es = SafeERB::Util.h($2)
css_class = ['erb', 'shell'].include?($1) ? 'html' : $1
code_blocks << %{#{es}
}
"\ndirty_workaround_for_notextile_#{code_blocks.size - 1}\n"
diff --git a/railties/guides/rails_guides/textile_extensions.rb b/railties/guides/rails_guides/textile_extensions.rb
index b22be5752def1..89c8ed2ddc9ae 100644
--- a/railties/guides/rails_guides/textile_extensions.rb
+++ b/railties/guides/rails_guides/textile_extensions.rb
@@ -32,7 +32,7 @@ def plusplus(body)
def code(body)
body.gsub!(%r{<(yaml|shell|ruby|erb|html|sql|plain)>(.*?)}m) do |m|
- es = ERB::Util.h($2)
+ es = SafeERB::Util.h($2)
css_class = ['erb', 'shell'].include?($1) ? 'html' : $1
%{#{es}
}
end