actionview 5.2.3

data/lib/action_view/helpers/output_safety_helper.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/string/output_safety"
+
+module ActionView #:nodoc:
+  # = Action View Raw Output Helper
+  module Helpers #:nodoc:
+    module OutputSafetyHelper
+      # This method outputs without escaping a string. Since escaping tags is
+      # now default, this can be used when you don't want Rails to automatically
+      # escape tags. This is not recommended if the data is coming from the user's
+      # input.
+      #
+      # For example:
+      #
+      #  raw @user.name
+      #  # => 'Jimmy <alert>Tables</alert>'
+      def raw(stringish)
+        stringish.to_s.html_safe
+      end
+
+      # This method returns an HTML safe string similar to what <tt>Array#join</tt>
+      # would return. The array is flattened, and all items, including
+      # the supplied separator, are HTML escaped unless they are HTML
+      # safe, and the returned string is marked as HTML safe.
+      #
+      #   safe_join([raw("<p>foo</p>"), "<p>bar</p>"], "<br />")
+      #   # => "<p>foo</p>&lt;br /&gt;&lt;p&gt;bar&lt;/p&gt;"
+      #
+      #   safe_join([raw("<p>foo</p>"), raw("<p>bar</p>")], raw("<br />"))
+      #   # => "<p>foo</p><br /><p>bar</p>"
+      #
+      def safe_join(array, sep = $,)
+        sep = ERB::Util.unwrapped_html_escape(sep)
+
+        array.flatten.map! { |i| ERB::Util.unwrapped_html_escape(i) }.join(sep).html_safe
+      end
+
+      # Converts the array to a comma-separated sentence where the last element is
+      # joined by the connector word. This is the html_safe-aware version of
+      # ActiveSupport's {Array#to_sentence}[http://api.rubyonrails.org/classes/Array.html#method-i-to_sentence].
+      #
+      def to_sentence(array, options = {})
+        options.assert_valid_keys(:words_connector, :two_words_connector, :last_word_connector, :locale)
+
+        default_connectors = {
+          words_connector: ", ",
+          two_words_connector: " and ",
+          last_word_connector: ", and "
+        }
+        if defined?(I18n)
+          i18n_connectors = I18n.translate(:'support.array', locale: options[:locale], default: {})
+          default_connectors.merge!(i18n_connectors)
+        end
+        options = default_connectors.merge!(options)
+
+        case array.length
+        when 0
+          "".html_safe
+        when 1
+          ERB::Util.html_escape(array[0])
+        when 2
+          safe_join([array[0], array[1]], options[:two_words_connector])
+        else
+          safe_join([safe_join(array[0...-1], options[:words_connector]), options[:last_word_connector], array[-1]], nil)
+        end
+      end
+    end
+  end
+end

data/lib/action_view/helpers/record_tag_helper.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module ActionView
+  module Helpers #:nodoc:
+    module RecordTagHelper
+      def div_for(*) # :nodoc:
+        raise NoMethodError, "The `div_for` method has been removed from " \
+          "Rails. To continue using it, add the `record_tag_helper` gem to " \
+          "your Gemfile:\n" \
+          "  gem 'record_tag_helper', '~> 1.0'\n" \
+          "Consult the Rails upgrade guide for details."
+      end
+
+      def content_tag_for(*) # :nodoc:
+        raise NoMethodError, "The `content_tag_for` method has been removed from " \
+          "Rails. To continue using it, add the `record_tag_helper` gem to " \
+          "your Gemfile:\n" \
+          "  gem 'record_tag_helper', '~> 1.0'\n" \
+          "Consult the Rails upgrade guide for details."
+      end
+    end
+  end
+end

data/lib/action_view/helpers/rendering_helper.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+module ActionView
+  module Helpers #:nodoc:
+    # = Action View Rendering
+    #
+    # Implements methods that allow rendering from a view context.
+    # In order to use this module, all you need is to implement
+    # view_renderer that returns an ActionView::Renderer object.
+    module RenderingHelper
+      # Returns the result of a render that's dictated by the options hash. The primary options are:
+      #
+      # * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt>.
+      # * <tt>:file</tt> - Renders an explicit template file (this used to be the old default), add :locals to pass in those.
+      # * <tt>:inline</tt> - Renders an inline template similar to how it's done in the controller.
+      # * <tt>:plain</tt> - Renders the text passed in out. Setting the content
+      #   type as <tt>text/plain</tt>.
+      # * <tt>:html</tt> - Renders the HTML safe string passed in out, otherwise
+      #   performs HTML escape on the string first. Setting the content type as
+      #   <tt>text/html</tt>.
+      # * <tt>:body</tt> - Renders the text passed in, and inherits the content
+      #   type of <tt>text/plain</tt> from <tt>ActionDispatch::Response</tt>
+      #   object.
+      #
+      # If no options hash is passed or :update specified, the default is to render a partial and use the second parameter
+      # as the locals hash.
+      def render(options = {}, locals = {}, &block)
+        case options
+        when Hash
+          if block_given?
+            view_renderer.render_partial(self, options.merge(partial: options[:layout]), &block)
+          else
+            view_renderer.render(self, options)
+          end
+        else
+          view_renderer.render_partial(self, partial: options, locals: locals, &block)
+        end
+      end
+
+      # Overwrites _layout_for in the context object so it supports the case a block is
+      # passed to a partial. Returns the contents that are yielded to a layout, given a
+      # name or a block.
+      #
+      # You can think of a layout as a method that is called with a block. If the user calls
+      # <tt>yield :some_name</tt>, the block, by default, returns <tt>content_for(:some_name)</tt>.
+      # If the user calls simply +yield+, the default block returns <tt>content_for(:layout)</tt>.
+      #
+      # The user can override this default by passing a block to the layout:
+      #
+      #   # The template
+      #   <%= render layout: "my_layout" do %>
+      #     Content
+      #   <% end %>
+      #
+      #   # The layout
+      #   <html>
+      #     <%= yield %>
+      #   </html>
+      #
+      # In this case, instead of the default block, which would return <tt>content_for(:layout)</tt>,
+      # this method returns the block that was passed in to <tt>render :layout</tt>, and the response
+      # would be
+      #
+      #   <html>
+      #     Content
+      #   </html>
+      #
+      # Finally, the block can take block arguments, which can be passed in by +yield+:
+      #
+      #   # The template
+      #   <%= render layout: "my_layout" do |customer| %>
+      #     Hello <%= customer.name %>
+      #   <% end %>
+      #
+      #   # The layout
+      #   <html>
+      #     <%= yield Struct.new(:name).new("David") %>
+      #   </html>
+      #
+      # In this case, the layout would receive the block passed into <tt>render :layout</tt>,
+      # and the struct specified would be passed into the block as an argument. The result
+      # would be
+      #
+      #   <html>
+      #     Hello David
+      #   </html>
+      #
+      def _layout_for(*args, &block)
+        name = args.first
+
+        if block && !name.is_a?(Symbol)
+          capture(*args, &block)
+        else
+          super
+        end
+      end
+    end
+  end
+end

data/lib/action_view/helpers/sanitize_helper.rb

@@ -0,0 +1,177 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/object/try"
+require "rails-html-sanitizer"
+
+module ActionView
+  # = Action View Sanitize Helpers
+  module Helpers #:nodoc:
+    # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
+    # These helper methods extend Action View making them callable within your template files.
+    module SanitizeHelper
+      extend ActiveSupport::Concern
+      # Sanitizes HTML input, stripping all tags and attributes that aren't whitelisted.
+      #
+      # It also strips href/src attributes with unsafe protocols like
+      # <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
+      # ASCII, and hex character references to work around these protocol filters.
+      # All special characters will be escaped.
+      #
+      # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML
+      # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
+      #
+      # Custom sanitization rules can also be provided.
+      #
+      # Please note that sanitizing user-provided text does not guarantee that the
+      # resulting markup is valid or even well-formed.
+      #
+      # ==== Options
+      #
+      # * <tt>:tags</tt> - An array of allowed tags.
+      # * <tt>:attributes</tt> - An array of allowed attributes.
+      # * <tt>:scrubber</tt> - A {Rails::Html scrubber}[https://github.com/rails/rails-html-sanitizer]
+      #   or {Loofah::Scrubber}[https://github.com/flavorjones/loofah] object that
+      #   defines custom sanitization rules. A custom scrubber takes precedence over
+      #   custom tags and attributes.
+      #
+      # ==== Examples
+      #
+      # Normal use:
+      #
+      #   <%= sanitize @comment.body %>
+      #
+      # Providing custom whitelisted tags and attributes:
+      #
+      #   <%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
+      #
+      # Providing a custom Rails::Html scrubber:
+      #
+      #   class CommentScrubber < Rails::Html::PermitScrubber
+      #     def initialize
+      #       super
+      #       self.tags = %w( form script comment blockquote )
+      #       self.attributes = %w( style )
+      #     end
+      #
+      #     def skip_node?(node)
+      #       node.text?
+      #     end
+      #   end
+      #
+      #   <%= sanitize @comment.body, scrubber: CommentScrubber.new %>
+      #
+      # See {Rails HTML Sanitizer}[https://github.com/rails/rails-html-sanitizer] for
+      # documentation about Rails::Html scrubbers.
+      #
+      # Providing a custom Loofah::Scrubber:
+      #
+      #   scrubber = Loofah::Scrubber.new do |node|
+      #     node.remove if node.name == 'script'
+      #   end
+      #
+      #   <%= sanitize @comment.body, scrubber: scrubber %>
+      #
+      # See {Loofah's documentation}[https://github.com/flavorjones/loofah] for more
+      # information about defining custom Loofah::Scrubber objects.
+      #
+      # To set the default allowed tags or attributes across your application:
+      #
+      #   # In config/application.rb
+      #   config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
+      #   config.action_view.sanitized_allowed_attributes = ['href', 'title']
+      def sanitize(html, options = {})
+        self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
+      end
+
+      # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
+      def sanitize_css(style)
+        self.class.white_list_sanitizer.sanitize_css(style)
+      end
+
+      # Strips all HTML tags from +html+, including comments and special characters.
+      #
+      #   strip_tags("Strip <i>these</i> tags!")
+      #   # => Strip these tags!
+      #
+      #   strip_tags("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
+      #   # => Bold no more!  See more here...
+      #
+      #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
+      #   # => Welcome to my website!
+      #
+      #   strip_tags("> A quote from Smith & Wesson")
+      #   # => &gt; A quote from Smith &amp; Wesson
+      def strip_tags(html)
+        self.class.full_sanitizer.sanitize(html)
+      end
+
+      # Strips all link tags from +html+ leaving just the link text.
+      #
+      #   strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
+      #   # => Ruby on Rails
+      #
+      #   strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.')
+      #   # => Please e-mail me at me@email.com.
+      #
+      #   strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
+      #   # => Blog: Visit.
+      #
+      #   strip_links('<<a href="https://example.org">malformed & link</a>')
+      #   # => &lt;malformed &amp; link
+      def strip_links(html)
+        self.class.link_sanitizer.sanitize(html)
+      end
+
+      module ClassMethods #:nodoc:
+        attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
+
+        # Vendors the full, link and white list sanitizers.
+        # Provided strictly for compatibility and can be removed in Rails 5.1.
+        def sanitizer_vendor
+          Rails::Html::Sanitizer
+        end
+
+        def sanitized_allowed_tags
+          sanitizer_vendor.white_list_sanitizer.allowed_tags
+        end
+
+        def sanitized_allowed_attributes
+          sanitizer_vendor.white_list_sanitizer.allowed_attributes
+        end
+
+        # Gets the Rails::Html::FullSanitizer instance used by +strip_tags+. Replace with
+        # any object that responds to +sanitize+.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.full_sanitizer = MySpecialSanitizer.new
+        #   end
+        #
+        def full_sanitizer
+          @full_sanitizer ||= sanitizer_vendor.full_sanitizer.new
+        end
+
+        # Gets the Rails::Html::LinkSanitizer instance used by +strip_links+.
+        # Replace with any object that responds to +sanitize+.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.link_sanitizer = MySpecialSanitizer.new
+        #   end
+        #
+        def link_sanitizer
+          @link_sanitizer ||= sanitizer_vendor.link_sanitizer.new
+        end
+
+        # Gets the Rails::Html::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
+        # Replace with any object that responds to +sanitize+.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.white_list_sanitizer = MySpecialSanitizer.new
+        #   end
+        #
+        def white_list_sanitizer
+          @white_list_sanitizer ||= sanitizer_vendor.white_list_sanitizer.new
+        end
+      end
+    end
+  end
+end

data/lib/action_view/helpers/tag_helper.rb

@@ -0,0 +1,313 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/string/output_safety"
+require "set"
+
+module ActionView
+  # = Action View Tag Helpers
+  module Helpers #:nodoc:
+    # Provides methods to generate HTML tags programmatically both as a modern
+    # HTML5 compliant builder style and legacy XHTML compliant tags.
+    module TagHelper
+      extend ActiveSupport::Concern
+      include CaptureHelper
+      include OutputSafetyHelper
+
+      BOOLEAN_ATTRIBUTES = %w(allowfullscreen async autofocus autoplay checked
+                              compact controls declare default defaultchecked
+                              defaultmuted defaultselected defer disabled
+                              enabled formnovalidate hidden indeterminate inert
+                              ismap itemscope loop multiple muted nohref
+                              noresize noshade novalidate nowrap open
+                              pauseonexit readonly required reversed scoped
+                              seamless selected sortable truespeed typemustmatch
+                              visible).to_set
+
+      BOOLEAN_ATTRIBUTES.merge(BOOLEAN_ATTRIBUTES.map(&:to_sym))
+
+      TAG_PREFIXES = ["aria", "data", :aria, :data].to_set
+
+      PRE_CONTENT_STRINGS             = Hash.new { "" }
+      PRE_CONTENT_STRINGS[:textarea]  = "\n"
+      PRE_CONTENT_STRINGS["textarea"] = "\n"
+
+      class TagBuilder #:nodoc:
+        include CaptureHelper
+        include OutputSafetyHelper
+
+        VOID_ELEMENTS = %i(area base br col embed hr img input keygen link meta param source track wbr).to_set
+
+        def initialize(view_context)
+          @view_context = view_context
+        end
+
+        def tag_string(name, content = nil, escape_attributes: true, **options, &block)
+          content = @view_context.capture(self, &block) if block_given?
+          if VOID_ELEMENTS.include?(name) && content.nil?
+            "<#{name.to_s.dasherize}#{tag_options(options, escape_attributes)}>".html_safe
+          else
+            content_tag_string(name.to_s.dasherize, content || "", options, escape_attributes)
+          end
+        end
+
+        def content_tag_string(name, content, options, escape = true)
+          tag_options = tag_options(options, escape) if options
+          content     = ERB::Util.unwrapped_html_escape(content) if escape
+          "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
+        end
+
+        def tag_options(options, escape = true)
+          return if options.blank?
+          output = "".dup
+          sep    = " "
+          options.each_pair do |key, value|
+            if TAG_PREFIXES.include?(key) && value.is_a?(Hash)
+              value.each_pair do |k, v|
+                next if v.nil?
+                output << sep
+                output << prefix_tag_option(key, k, v, escape)
+              end
+            elsif BOOLEAN_ATTRIBUTES.include?(key)
+              if value
+                output << sep
+                output << boolean_tag_option(key)
+              end
+            elsif !value.nil?
+              output << sep
+              output << tag_option(key, value, escape)
+            end
+          end
+          output unless output.empty?
+        end
+
+        def boolean_tag_option(key)
+          %(#{key}="#{key}")
+        end
+
+        def tag_option(key, value, escape)
+          if value.is_a?(Array)
+            value = escape ? safe_join(value, " ".freeze) : value.join(" ".freeze)
+          else
+            value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
+          end
+          %(#{key}="#{value.gsub('"'.freeze, '&quot;'.freeze)}")
+        end
+
+        private
+          def prefix_tag_option(prefix, key, value, escape)
+            key = "#{prefix}-#{key.to_s.dasherize}"
+            unless value.is_a?(String) || value.is_a?(Symbol) || value.is_a?(BigDecimal)
+              value = value.to_json
+            end
+            tag_option(key, value, escape)
+          end
+
+          def respond_to_missing?(*args)
+            true
+          end
+
+          def method_missing(called, *args, &block)
+            tag_string(called, *args, &block)
+          end
+      end
+
+      # Returns an HTML tag.
+      #
+      # === Building HTML tags
+      #
+      # Builds HTML5 compliant tags with a tag proxy. Every tag can be built with:
+      #
+      #   tag.<tag name>(optional content, options)
+      #
+      # where tag name can be e.g. br, div, section, article, or any tag really.
+      #
+      # ==== Passing content
+      #
+      # Tags can pass content to embed within it:
+      #
+      #   tag.h1 'All titles fit to print' # => <h1>All titles fit to print</h1>
+      #
+      #   tag.div tag.p('Hello world!')  # => <div><p>Hello world!</p></div>
+      #
+      # Content can also be captured with a block, which is useful in templates:
+      #
+      #   <%= tag.p do %>
+      #     The next great American novel starts here.
+      #   <% end %>
+      #   # => <p>The next great American novel starts here.</p>
+      #
+      # ==== Options
+      #
+      # Use symbol keyed options to add attributes to the generated tag.
+      #
+      #   tag.section class: %w( kitties puppies )
+      #   # => <section class="kitties puppies"></section>
+      #
+      #   tag.section id: dom_id(@post)
+      #   # => <section id="<generated dom id>"></section>
+      #
+      # Pass +true+ for any attributes that can render with no values, like +disabled+ and +readonly+.
+      #
+      #   tag.input type: 'text', disabled: true
+      #   # => <input type="text" disabled="disabled">
+      #
+      # HTML5 <tt>data-*</tt> attributes can be set with a single +data+ key
+      # pointing to a hash of sub-attributes.
+      #
+      # To play nicely with JavaScript conventions, sub-attributes are dasherized.
+      #
+      #   tag.article data: { user_id: 123 }
+      #   # => <article data-user-id="123"></article>
+      #
+      # Thus <tt>data-user-id</tt> can be accessed as <tt>dataset.userId</tt>.
+      #
+      # Data attribute values are encoded to JSON, with the exception of strings, symbols and
+      # BigDecimals.
+      # This may come in handy when using jQuery's HTML5-aware <tt>.data()</tt>
+      # from 1.4.3.
+      #
+      #   tag.div data: { city_state: %w( Chicago IL ) }
+      #   # => <div data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]"></div>
+      #
+      # The generated attributes are escaped by default. This can be disabled using
+      # +escape_attributes+.
+      #
+      #   tag.img src: 'open & shut.png'
+      #   # => <img src="open &amp; shut.png">
+      #
+      #   tag.img src: 'open & shut.png', escape_attributes: false
+      #   # => <img src="open & shut.png">
+      #
+      # The tag builder respects
+      # {HTML5 void elements}[https://www.w3.org/TR/html5/syntax.html#void-elements]
+      # if no content is passed, and omits closing tags for those elements.
+      #
+      #   # A standard element:
+      #   tag.div # => <div></div>
+      #
+      #   # A void element:
+      #   tag.br  # => <br>
+      #
+      # === Legacy syntax
+      #
+      # The following format is for legacy syntax support. It will be deprecated in future versions of Rails.
+      #
+      #   tag(name, options = nil, open = false, escape = true)
+      #
+      # It returns an empty HTML tag of type +name+ which by default is XHTML
+      # compliant. Set +open+ to true to create an open tag compatible
+      # with HTML 4.0 and below. Add HTML attributes by passing an attributes
+      # hash to +options+. Set +escape+ to false to disable attribute value
+      # escaping.
+      #
+      # ==== Options
+      #
+      # You can use symbols or strings for the attribute names.
+      #
+      # Use +true+ with boolean attributes that can render with no value, like
+      # +disabled+ and +readonly+.
+      #
+      # HTML5 <tt>data-*</tt> attributes can be set with a single +data+ key
+      # pointing to a hash of sub-attributes.
+      #
+      # ==== Examples
+      #
+      #   tag("br")
+      #   # => <br />
+      #
+      #   tag("br", nil, true)
+      #   # => <br>
+      #
+      #   tag("input", type: 'text', disabled: true)
+      #   # => <input type="text" disabled="disabled" />
+      #
+      #   tag("input", type: 'text', class: ["strong", "highlight"])
+      #   # => <input class="strong highlight" type="text" />
+      #
+      #   tag("img", src: "open & shut.png")
+      #   # => <img src="open &amp; shut.png" />
+      #
+      #   tag("img", {src: "open &amp; shut.png"}, false, false)
+      #   # => <img src="open &amp; shut.png" />
+      #
+      #   tag("div", data: {name: 'Stephen', city_state: %w(Chicago IL)})
+      #   # => <div data-name="Stephen" data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]" />
+      def tag(name = nil, options = nil, open = false, escape = true)
+        if name.nil?
+          tag_builder
+        else
+          "<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
+        end
+      end
+
+      # Returns an HTML block tag of type +name+ surrounding the +content+. Add
+      # HTML attributes by passing an attributes hash to +options+.
+      # Instead of passing the content as an argument, you can also use a block
+      # in which case, you pass your +options+ as the second parameter.
+      # Set escape to false to disable attribute value escaping.
+      # Note: this is legacy syntax, see +tag+ method description for details.
+      #
+      # ==== Options
+      # The +options+ hash can be used with attributes with no value like (<tt>disabled</tt> and
+      # <tt>readonly</tt>), which you can give a value of true in the +options+ hash. You can use
+      # symbols or strings for the attribute names.
+      #
+      # ==== Examples
+      #   content_tag(:p, "Hello world!")
+      #    # => <p>Hello world!</p>
+      #   content_tag(:div, content_tag(:p, "Hello world!"), class: "strong")
+      #    # => <div class="strong"><p>Hello world!</p></div>
+      #   content_tag(:div, "Hello world!", class: ["strong", "highlight"])
+      #    # => <div class="strong highlight">Hello world!</div>
+      #   content_tag("select", options, multiple: true)
+      #    # => <select multiple="multiple">...options...</select>
+      #
+      #   <%= content_tag :div, class: "strong" do -%>
+      #     Hello world!
+      #   <% end -%>
+      #    # => <div class="strong">Hello world!</div>
+      def content_tag(name, content_or_options_with_block = nil, options = nil, escape = true, &block)
+        if block_given?
+          options = content_or_options_with_block if content_or_options_with_block.is_a?(Hash)
+          tag_builder.content_tag_string(name, capture(&block), options, escape)
+        else
+          tag_builder.content_tag_string(name, content_or_options_with_block, options, escape)
+        end
+      end
+
+      # Returns a CDATA section with the given +content+. CDATA sections
+      # are used to escape blocks of text containing characters which would
+      # otherwise be recognized as markup. CDATA sections begin with the string
+      # <tt><![CDATA[</tt> and end with (and may not contain) the string <tt>]]></tt>.
+      #
+      #   cdata_section("<hello world>")
+      #   # => <![CDATA[<hello world>]]>
+      #
+      #   cdata_section(File.read("hello_world.txt"))
+      #   # => <![CDATA[<hello from a text file]]>
+      #
+      #   cdata_section("hello]]>world")
+      #   # => <![CDATA[hello]]]]><![CDATA[>world]]>
+      def cdata_section(content)
+        splitted = content.to_s.gsub(/\]\]\>/, "]]]]><![CDATA[>")
+        "<![CDATA[#{splitted}]]>".html_safe
+      end
+
+      # Returns an escaped version of +html+ without affecting existing escaped entities.
+      #
+      #   escape_once("1 < 2 &amp; 3")
+      #   # => "1 &lt; 2 &amp; 3"
+      #
+      #   escape_once("&lt;&lt; Accept & Checkout")
+      #   # => "&lt;&lt; Accept &amp; Checkout"
+      def escape_once(html)
+        ERB::Util.html_escape_once(html)
+      end
+
+      private
+        def tag_builder
+          @tag_builder ||= TagBuilder.new(self)
+        end
+    end
+  end
+end