activesupport 6.0.0

data/lib/active_support/core_ext/string/indent.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+class String
+  # Same as +indent+, except it indents the receiver in-place.
+  #
+  # Returns the indented string, or +nil+ if there was nothing to indent.
+  def indent!(amount, indent_string = nil, indent_empty_lines = false)
+    indent_string = indent_string || self[/^[ \t]/] || " "
+    re = indent_empty_lines ? /^/ : /^(?!$)/
+    gsub!(re, indent_string * amount)
+  end
+
+  # Indents the lines in the receiver:
+  #
+  #   <<EOS.indent(2)
+  #   def some_method
+  #     some_code
+  #   end
+  #   EOS
+  #   # =>
+  #     def some_method
+  #       some_code
+  #     end
+  #
+  # The second argument, +indent_string+, specifies which indent string to
+  # use. The default is +nil+, which tells the method to make a guess by
+  # peeking at the first indented line, and fallback to a space if there is
+  # none.
+  #
+  #   "  foo".indent(2)        # => "    foo"
+  #   "foo\n\t\tbar".indent(2) # => "\t\tfoo\n\t\t\t\tbar"
+  #   "foo".indent(2, "\t")    # => "\t\tfoo"
+  #
+  # While +indent_string+ is typically one space or tab, it may be any string.
+  #
+  # The third argument, +indent_empty_lines+, is a flag that says whether
+  # empty lines should be indented. Default is false.
+  #
+  #   "foo\n\nbar".indent(2)            # => "  foo\n\n  bar"
+  #   "foo\n\nbar".indent(2, nil, true) # => "  foo\n  \n  bar"
+  #
+  def indent(amount, indent_string = nil, indent_empty_lines = false)
+    dup.tap { |_| _.indent!(amount, indent_string, indent_empty_lines) }
+  end
+end

data/lib/active_support/core_ext/string/inflections.rb

@@ -0,0 +1,259 @@
+# frozen_string_literal: true
+
+require "active_support/inflector/methods"
+require "active_support/inflector/transliterate"
+
+# String inflections define new methods on the String class to transform names for different purposes.
+# For instance, you can figure out the name of a table from the name of a class.
+#
+#   'ScaleScore'.tableize # => "scale_scores"
+#
+class String
+  # Returns the plural form of the word in the string.
+  #
+  # If the optional parameter +count+ is specified,
+  # the singular form will be returned if <tt>count == 1</tt>.
+  # For any other value of +count+ the plural will be returned.
+  #
+  # If the optional parameter +locale+ is specified,
+  # the word will be pluralized as a word of that language.
+  # By default, this parameter is set to <tt>:en</tt>.
+  # You must define your own inflection rules for languages other than English.
+  #
+  #   'post'.pluralize             # => "posts"
+  #   'octopus'.pluralize          # => "octopi"
+  #   'sheep'.pluralize            # => "sheep"
+  #   'words'.pluralize            # => "words"
+  #   'the blue mailman'.pluralize # => "the blue mailmen"
+  #   'CamelOctopus'.pluralize     # => "CamelOctopi"
+  #   'apple'.pluralize(1)         # => "apple"
+  #   'apple'.pluralize(2)         # => "apples"
+  #   'ley'.pluralize(:es)         # => "leyes"
+  #   'ley'.pluralize(1, :es)      # => "ley"
+  def pluralize(count = nil, locale = :en)
+    locale = count if count.is_a?(Symbol)
+    if count == 1
+      dup
+    else
+      ActiveSupport::Inflector.pluralize(self, locale)
+    end
+  end
+
+  # The reverse of +pluralize+, returns the singular form of a word in a string.
+  #
+  # If the optional parameter +locale+ is specified,
+  # the word will be singularized as a word of that language.
+  # By default, this parameter is set to <tt>:en</tt>.
+  # You must define your own inflection rules for languages other than English.
+  #
+  #   'posts'.singularize            # => "post"
+  #   'octopi'.singularize           # => "octopus"
+  #   'sheep'.singularize            # => "sheep"
+  #   'word'.singularize             # => "word"
+  #   'the blue mailmen'.singularize # => "the blue mailman"
+  #   'CamelOctopi'.singularize      # => "CamelOctopus"
+  #   'leyes'.singularize(:es)       # => "ley"
+  def singularize(locale = :en)
+    ActiveSupport::Inflector.singularize(self, locale)
+  end
+
+  # +constantize+ tries to find a declared constant with the name specified
+  # in the string. It raises a NameError when the name is not in CamelCase
+  # or is not initialized.  See ActiveSupport::Inflector.constantize
+  #
+  #   'Module'.constantize  # => Module
+  #   'Class'.constantize   # => Class
+  #   'blargle'.constantize # => NameError: wrong constant name blargle
+  def constantize
+    ActiveSupport::Inflector.constantize(self)
+  end
+
+  # +safe_constantize+ tries to find a declared constant with the name specified
+  # in the string. It returns +nil+ when the name is not in CamelCase
+  # or is not initialized.  See ActiveSupport::Inflector.safe_constantize
+  #
+  #   'Module'.safe_constantize  # => Module
+  #   'Class'.safe_constantize   # => Class
+  #   'blargle'.safe_constantize # => nil
+  def safe_constantize
+    ActiveSupport::Inflector.safe_constantize(self)
+  end
+
+  # By default, +camelize+ converts strings to UpperCamelCase. If the argument to camelize
+  # is set to <tt>:lower</tt> then camelize produces lowerCamelCase.
+  #
+  # +camelize+ will also convert '/' to '::' which is useful for converting paths to namespaces.
+  #
+  #   'active_record'.camelize                # => "ActiveRecord"
+  #   'active_record'.camelize(:lower)        # => "activeRecord"
+  #   'active_record/errors'.camelize         # => "ActiveRecord::Errors"
+  #   'active_record/errors'.camelize(:lower) # => "activeRecord::Errors"
+  def camelize(first_letter = :upper)
+    case first_letter
+    when :upper
+      ActiveSupport::Inflector.camelize(self, true)
+    when :lower
+      ActiveSupport::Inflector.camelize(self, false)
+    else
+      raise ArgumentError, "Invalid option, use either :upper or :lower."
+    end
+  end
+  alias_method :camelcase, :camelize
+
+  # Capitalizes all the words and replaces some characters in the string to create
+  # a nicer looking title. +titleize+ is meant for creating pretty output. It is not
+  # used in the Rails internals.
+  #
+  # The trailing '_id','Id'.. can be kept and capitalized by setting the
+  # optional parameter +keep_id_suffix+ to true.
+  # By default, this parameter is false.
+  #
+  # +titleize+ is also aliased as +titlecase+.
+  #
+  #   'man from the boondocks'.titleize                       # => "Man From The Boondocks"
+  #   'x-men: the last stand'.titleize                        # => "X Men: The Last Stand"
+  #   'string_ending_with_id'.titleize(keep_id_suffix: true)  # => "String Ending With Id"
+  def titleize(keep_id_suffix: false)
+    ActiveSupport::Inflector.titleize(self, keep_id_suffix: keep_id_suffix)
+  end
+  alias_method :titlecase, :titleize
+
+  # The reverse of +camelize+. Makes an underscored, lowercase form from the expression in the string.
+  #
+  # +underscore+ will also change '::' to '/' to convert namespaces to paths.
+  #
+  #   'ActiveModel'.underscore         # => "active_model"
+  #   'ActiveModel::Errors'.underscore # => "active_model/errors"
+  def underscore
+    ActiveSupport::Inflector.underscore(self)
+  end
+
+  # Replaces underscores with dashes in the string.
+  #
+  #   'puni_puni'.dasherize # => "puni-puni"
+  def dasherize
+    ActiveSupport::Inflector.dasherize(self)
+  end
+
+  # Removes the module part from the constant expression in the string.
+  #
+  #   'ActiveSupport::Inflector::Inflections'.demodulize # => "Inflections"
+  #   'Inflections'.demodulize                           # => "Inflections"
+  #   '::Inflections'.demodulize                         # => "Inflections"
+  #   ''.demodulize                                      # => ''
+  #
+  # See also +deconstantize+.
+  def demodulize
+    ActiveSupport::Inflector.demodulize(self)
+  end
+
+  # Removes the rightmost segment from the constant expression in the string.
+  #
+  #   'Net::HTTP'.deconstantize   # => "Net"
+  #   '::Net::HTTP'.deconstantize # => "::Net"
+  #   'String'.deconstantize      # => ""
+  #   '::String'.deconstantize    # => ""
+  #   ''.deconstantize            # => ""
+  #
+  # See also +demodulize+.
+  def deconstantize
+    ActiveSupport::Inflector.deconstantize(self)
+  end
+
+  # Replaces special characters in a string so that it may be used as part of a 'pretty' URL.
+  #
+  # If the optional parameter +locale+ is specified,
+  # the word will be parameterized as a word of that language.
+  # By default, this parameter is set to <tt>nil</tt> and it will use
+  # the configured <tt>I18n.locale</tt>.
+  #
+  #   class Person
+  #     def to_param
+  #       "#{id}-#{name.parameterize}"
+  #     end
+  #   end
+  #
+  #   @person = Person.find(1)
+  #   # => #<Person id: 1, name: "Donald E. Knuth">
+  #
+  #   <%= link_to(@person.name, person_path) %>
+  #   # => <a href="/person/1-donald-e-knuth">Donald E. Knuth</a>
+  #
+  # To preserve the case of the characters in a string, use the +preserve_case+ argument.
+  #
+  #   class Person
+  #     def to_param
+  #       "#{id}-#{name.parameterize(preserve_case: true)}"
+  #     end
+  #   end
+  #
+  #   @person = Person.find(1)
+  #   # => #<Person id: 1, name: "Donald E. Knuth">
+  #
+  #   <%= link_to(@person.name, person_path) %>
+  #   # => <a href="/person/1-Donald-E-Knuth">Donald E. Knuth</a>
+  def parameterize(separator: "-", preserve_case: false, locale: nil)
+    ActiveSupport::Inflector.parameterize(self, separator: separator, preserve_case: preserve_case, locale: locale)
+  end
+
+  # Creates the name of a table like Rails does for models to table names. This method
+  # uses the +pluralize+ method on the last word in the string.
+  #
+  #   'RawScaledScorer'.tableize # => "raw_scaled_scorers"
+  #   'ham_and_egg'.tableize     # => "ham_and_eggs"
+  #   'fancyCategory'.tableize   # => "fancy_categories"
+  def tableize
+    ActiveSupport::Inflector.tableize(self)
+  end
+
+  # Creates a class name from a plural table name like Rails does for table names to models.
+  # Note that this returns a string and not a class. (To convert to an actual class
+  # follow +classify+ with +constantize+.)
+  #
+  #   'ham_and_eggs'.classify # => "HamAndEgg"
+  #   'posts'.classify        # => "Post"
+  def classify
+    ActiveSupport::Inflector.classify(self)
+  end
+
+  # Capitalizes the first word, turns underscores into spaces, and (by default)strips a
+  # trailing '_id' if present.
+  # Like +titleize+, this is meant for creating pretty output.
+  #
+  # The capitalization of the first word can be turned off by setting the
+  # optional parameter +capitalize+ to false.
+  # By default, this parameter is true.
+  #
+  # The trailing '_id' can be kept and capitalized by setting the
+  # optional parameter +keep_id_suffix+ to true.
+  # By default, this parameter is false.
+  #
+  #   'employee_salary'.humanize                    # => "Employee salary"
+  #   'author_id'.humanize                          # => "Author"
+  #   'author_id'.humanize(capitalize: false)       # => "author"
+  #   '_id'.humanize                                # => "Id"
+  #   'author_id'.humanize(keep_id_suffix: true)    # => "Author Id"
+  def humanize(capitalize: true, keep_id_suffix: false)
+    ActiveSupport::Inflector.humanize(self, capitalize: capitalize, keep_id_suffix: keep_id_suffix)
+  end
+
+  # Converts just the first character to uppercase.
+  #
+  #   'what a Lovely Day'.upcase_first # => "What a Lovely Day"
+  #   'w'.upcase_first                 # => "W"
+  #   ''.upcase_first                  # => ""
+  def upcase_first
+    ActiveSupport::Inflector.upcase_first(self)
+  end
+
+  # Creates a foreign key name from a class name.
+  # +separate_class_name_and_id_with_underscore+ sets whether
+  # the method should put '_' between the name and 'id'.
+  #
+  #   'Message'.foreign_key        # => "message_id"
+  #   'Message'.foreign_key(false) # => "messageid"
+  #   'Admin::Post'.foreign_key    # => "post_id"
+  def foreign_key(separate_class_name_and_id_with_underscore = true)
+    ActiveSupport::Inflector.foreign_key(self, separate_class_name_and_id_with_underscore)
+  end
+end

data/lib/active_support/core_ext/string/inquiry.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "active_support/string_inquirer"
+
+class String
+  # Wraps the current string in the <tt>ActiveSupport::StringInquirer</tt> class,
+  # which gives you a prettier way to test for equality.
+  #
+  #   env = 'production'.inquiry
+  #   env.production?  # => true
+  #   env.development? # => false
+  def inquiry
+    ActiveSupport::StringInquirer.new(self)
+  end
+end

data/lib/active_support/core_ext/string/multibyte.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require "active_support/multibyte"
+
+class String
+  # == Multibyte proxy
+  #
+  # +mb_chars+ is a multibyte safe proxy for string methods.
+  #
+  # It creates and returns an instance of the ActiveSupport::Multibyte::Chars class which
+  # encapsulates the original string. A Unicode safe version of all the String methods are defined on this proxy
+  # class. If the proxy class doesn't respond to a certain method, it's forwarded to the encapsulated string.
+  #
+  #   >> "lj".mb_chars.upcase.to_s
+  #   => "LJ"
+  #
+  # NOTE: Ruby 2.4 and later support native Unicode case mappings:
+  #
+  #   >> "lj".upcase
+  #   => "LJ"
+  #
+  # == Method chaining
+  #
+  # All the methods on the Chars proxy which normally return a string will return a Chars object. This allows
+  # method chaining on the result of any of these methods.
+  #
+  #   name.mb_chars.reverse.length # => 12
+  #
+  # == Interoperability and configuration
+  #
+  # The Chars object tries to be as interchangeable with String objects as possible: sorting and comparing between
+  # String and Char work like expected. The bang! methods change the internal string representation in the Chars
+  # object. Interoperability problems can be resolved easily with a +to_s+ call.
+  #
+  # For more information about the methods defined on the Chars proxy see ActiveSupport::Multibyte::Chars. For
+  # information about how to change the default Multibyte behavior see ActiveSupport::Multibyte.
+  def mb_chars
+    ActiveSupport::Multibyte.proxy_class.new(self)
+  end
+
+  # Returns +true+ if string has utf_8 encoding.
+  #
+  #   utf_8_str = "some string".encode "UTF-8"
+  #   iso_str = "some string".encode "ISO-8859-1"
+  #
+  #   utf_8_str.is_utf8? # => true
+  #   iso_str.is_utf8?   # => false
+  def is_utf8?
+    case encoding
+    when Encoding::UTF_8
+      valid_encoding?
+    when Encoding::ASCII_8BIT, Encoding::US_ASCII
+      dup.force_encoding(Encoding::UTF_8).valid_encoding?
+    else
+      false
+    end
+  end
+end

data/lib/active_support/core_ext/string/output_safety.rb

@@ -0,0 +1,314 @@
+# frozen_string_literal: true
+
+require "erb"
+require "active_support/core_ext/kernel/singleton_class"
+require "active_support/core_ext/module/redefine_method"
+require "active_support/multibyte/unicode"
+
+class ERB
+  module Util
+    HTML_ESCAPE = { "&" => "&amp;",  ">" => "&gt;",   "<" => "&lt;", '"' => "&quot;", "'" => "&#39;" }
+    JSON_ESCAPE = { "&" => '\u0026', ">" => '\u003e', "<" => '\u003c', "\u2028" => '\u2028', "\u2029" => '\u2029' }
+    HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
+    JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
+
+    # A utility method for escaping HTML tag characters.
+    # This method is also aliased as <tt>h</tt>.
+    #
+    #   puts html_escape('is a > 0 & a < 10?')
+    #   # => is a &gt; 0 &amp; a &lt; 10?
+    def html_escape(s)
+      unwrapped_html_escape(s).html_safe
+    end
+
+    silence_redefinition_of_method :h
+    alias h html_escape
+
+    module_function :h
+
+    singleton_class.silence_redefinition_of_method :html_escape
+    module_function :html_escape
+
+    # HTML escapes strings but doesn't wrap them with an ActiveSupport::SafeBuffer.
+    # This method is not for public consumption! Seriously!
+    def unwrapped_html_escape(s) # :nodoc:
+      s = s.to_s
+      if s.html_safe?
+        s
+      else
+        CGI.escapeHTML(ActiveSupport::Multibyte::Unicode.tidy_bytes(s))
+      end
+    end
+    module_function :unwrapped_html_escape
+
+    # A utility method for escaping HTML without affecting existing escaped entities.
+    #
+    #   html_escape_once('1 < 2 &amp; 3')
+    #   # => "1 &lt; 2 &amp; 3"
+    #
+    #   html_escape_once('&lt;&lt; Accept & Checkout')
+    #   # => "&lt;&lt; Accept &amp; Checkout"
+    def html_escape_once(s)
+      result = ActiveSupport::Multibyte::Unicode.tidy_bytes(s.to_s).gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE)
+      s.html_safe? ? result.html_safe : result
+    end
+
+    module_function :html_escape_once
+
+    # A utility method for escaping HTML entities in JSON strings. Specifically, the
+    # &, > and < characters are replaced with their equivalent unicode escaped form -
+    # \u0026, \u003e, and \u003c. The Unicode sequences \u2028 and \u2029 are also
+    # escaped as they are treated as newline characters in some JavaScript engines.
+    # These sequences have identical meaning as the original characters inside the
+    # context of a JSON string, so assuming the input is a valid and well-formed
+    # JSON value, the output will have equivalent meaning when parsed:
+    #
+    #   json = JSON.generate({ name: "</script><script>alert('PWNED!!!')</script>"})
+    #   # => "{\"name\":\"</script><script>alert('PWNED!!!')</script>\"}"
+    #
+    #   json_escape(json)
+    #   # => "{\"name\":\"\\u003C/script\\u003E\\u003Cscript\\u003Ealert('PWNED!!!')\\u003C/script\\u003E\"}"
+    #
+    #   JSON.parse(json) == JSON.parse(json_escape(json))
+    #   # => true
+    #
+    # The intended use case for this method is to escape JSON strings before including
+    # them inside a script tag to avoid XSS vulnerability:
+    #
+    #   <script>
+    #     var currentUser = <%= raw json_escape(current_user.to_json) %>;
+    #   </script>
+    #
+    # It is necessary to +raw+ the result of +json_escape+, so that quotation marks
+    # don't get converted to <tt>&quot;</tt> entities. +json_escape+ doesn't
+    # automatically flag the result as HTML safe, since the raw value is unsafe to
+    # use inside HTML attributes.
+    #
+    # If your JSON is being used downstream for insertion into the DOM, be aware of
+    # whether or not it is being inserted via +html()+. Most jQuery plugins do this.
+    # If that is the case, be sure to +html_escape+ or +sanitize+ any user-generated
+    # content returned by your JSON.
+    #
+    # If you need to output JSON elsewhere in your HTML, you can just do something
+    # like this, as any unsafe characters (including quotation marks) will be
+    # automatically escaped for you:
+    #
+    #   <div data-user-info="<%= current_user.to_json %>">...</div>
+    #
+    # WARNING: this helper only works with valid JSON. Using this on non-JSON values
+    # will open up serious XSS vulnerabilities. For example, if you replace the
+    # +current_user.to_json+ in the example above with user input instead, the browser
+    # will happily eval() that string as JavaScript.
+    #
+    # The escaping performed in this method is identical to those performed in the
+    # Active Support JSON encoder when +ActiveSupport.escape_html_entities_in_json+ is
+    # set to true. Because this transformation is idempotent, this helper can be
+    # applied even if +ActiveSupport.escape_html_entities_in_json+ is already true.
+    #
+    # Therefore, when you are unsure if +ActiveSupport.escape_html_entities_in_json+
+    # is enabled, or if you are unsure where your JSON string originated from, it
+    # is recommended that you always apply this helper (other libraries, such as the
+    # JSON gem, do not provide this kind of protection by default; also some gems
+    # might override +to_json+ to bypass Active Support's encoder).
+    def json_escape(s)
+      result = s.to_s.gsub(JSON_ESCAPE_REGEXP, JSON_ESCAPE)
+      s.html_safe? ? result.html_safe : result
+    end
+
+    module_function :json_escape
+  end
+end
+
+class Object
+  def html_safe?
+    false
+  end
+end
+
+class Numeric
+  def html_safe?
+    true
+  end
+end
+
+module ActiveSupport #:nodoc:
+  class SafeBuffer < String
+    UNSAFE_STRING_METHODS = %w(
+      capitalize chomp chop delete delete_prefix delete_suffix
+      downcase lstrip next reverse rstrip slice squeeze strip
+      succ swapcase tr tr_s unicode_normalize upcase
+    )
+
+    UNSAFE_STRING_METHODS_WITH_BACKREF = %w(gsub sub)
+
+    alias_method :original_concat, :concat
+    private :original_concat
+
+    # Raised when <tt>ActiveSupport::SafeBuffer#safe_concat</tt> is called on unsafe buffers.
+    class SafeConcatError < StandardError
+      def initialize
+        super "Could not concatenate to the buffer because it is not html safe."
+      end
+    end
+
+    def [](*args)
+      if html_safe?
+        new_safe_buffer = super
+
+        if new_safe_buffer
+          new_safe_buffer.instance_variable_set :@html_safe, true
+        end
+
+        new_safe_buffer
+      else
+        to_str[*args]
+      end
+    end
+
+    def safe_concat(value)
+      raise SafeConcatError unless html_safe?
+      original_concat(value)
+    end
+
+    def initialize(str = "")
+      @html_safe = true
+      super
+    end
+
+    def initialize_copy(other)
+      super
+      @html_safe = other.html_safe?
+    end
+
+    def clone_empty
+      self[0, 0]
+    end
+
+    def concat(value)
+      super(html_escape_interpolated_argument(value))
+    end
+    alias << concat
+
+    def insert(index, value)
+      super(index, html_escape_interpolated_argument(value))
+    end
+
+    def prepend(value)
+      super(html_escape_interpolated_argument(value))
+    end
+
+    def replace(value)
+      super(html_escape_interpolated_argument(value))
+    end
+
+    def []=(*args)
+      if args.count == 3
+        super(args[0], args[1], html_escape_interpolated_argument(args[2]))
+      else
+        super(args[0], html_escape_interpolated_argument(args[1]))
+      end
+    end
+
+    def +(other)
+      dup.concat(other)
+    end
+
+    def *(*)
+      new_safe_buffer = super
+      new_safe_buffer.instance_variable_set(:@html_safe, @html_safe)
+      new_safe_buffer
+    end
+
+    def %(args)
+      case args
+      when Hash
+        escaped_args = Hash[args.map { |k, arg| [k, html_escape_interpolated_argument(arg)] }]
+      else
+        escaped_args = Array(args).map { |arg| html_escape_interpolated_argument(arg) }
+      end
+
+      self.class.new(super(escaped_args))
+    end
+
+    def html_safe?
+      defined?(@html_safe) && @html_safe
+    end
+
+    def to_s
+      self
+    end
+
+    def to_param
+      to_str
+    end
+
+    def encode_with(coder)
+      coder.represent_object nil, to_str
+    end
+
+    UNSAFE_STRING_METHODS.each do |unsafe_method|
+      if unsafe_method.respond_to?(unsafe_method)
+        class_eval <<-EOT, __FILE__, __LINE__ + 1
+          def #{unsafe_method}(*args, &block)       # def capitalize(*args, &block)
+            to_str.#{unsafe_method}(*args, &block)  #   to_str.capitalize(*args, &block)
+          end                                       # end
+
+          def #{unsafe_method}!(*args)              # def capitalize!(*args)
+            @html_safe = false                      #   @html_safe = false
+            super                                   #   super
+          end                                       # end
+        EOT
+      end
+    end
+
+    UNSAFE_STRING_METHODS_WITH_BACKREF.each do |unsafe_method|
+      if unsafe_method.respond_to?(unsafe_method)
+        class_eval <<-EOT, __FILE__, __LINE__ + 1
+          def #{unsafe_method}(*args, &block)             # def gsub(*args, &block)
+            if block                                      #   if block
+              to_str.#{unsafe_method}(*args) { |*params|  #     to_str.gsub(*args) { |*params|
+                set_block_back_references(block, $~)      #       set_block_back_references(block, $~)
+                block.call(*params)                       #       block.call(*params)
+              }                                           #     }
+            else                                          #   else
+              to_str.#{unsafe_method}(*args)              #     to_str.gsub(*args)
+            end                                           #   end
+          end                                             # end
+
+          def #{unsafe_method}!(*args, &block)            # def gsub!(*args, &block)
+            @html_safe = false                            #   @html_safe = false
+            if block                                      #   if block
+              super(*args) { |*params|                    #     super(*args) { |*params|
+                set_block_back_references(block, $~)      #       set_block_back_references(block, $~)
+                block.call(*params)                       #       block.call(*params)
+              }                                           #     }
+            else                                          #   else
+              super                                       #     super
+            end                                           #   end
+          end                                             # end
+        EOT
+      end
+    end
+
+    private
+
+      def html_escape_interpolated_argument(arg)
+        (!html_safe? || arg.html_safe?) ? arg : CGI.escapeHTML(arg.to_s)
+      end
+
+      def set_block_back_references(block, match_data)
+        block.binding.eval("proc { |m| $~ = m }").call(match_data)
+      end
+  end
+end
+
+class String
+  # Marks a string as trusted safe. It will be inserted into HTML with no
+  # additional escaping performed. It is your responsibility to ensure that the
+  # string contains no malicious content. This method is equivalent to the
+  # +raw+ helper in views. It is recommended that you use +sanitize+ instead of
+  # this method. It should never be called on user input.
+  def html_safe
+    ActiveSupport::SafeBuffer.new(self)
+  end
+end