activesupport 4.0.13 → 5.2.5

data/lib/active_support/core_ext/string/conversions.rb

@@ -1,5 +1,7 @@
-require 'date'
-require 'active_support/core_ext/time/calculations'
+# frozen_string_literal: true
+
+require "date"
+require "active_support/core_ext/time/calculations"
 
 class String
   # Converts a string to a Time value.
@@ -14,10 +16,12 @@ class String
   #   "06:12".to_time                    # => 2012-12-13 06:12:00 +0100
   #   "2012-12-13 06:12".to_time         # => 2012-12-13 06:12:00 +0100
   #   "2012-12-13T06:12".to_time         # => 2012-12-13 06:12:00 +0100
-  #   "2012-12-13T06:12".to_time(:utc)   # => 2012-12-13 05:12:00 UTC
+  #   "2012-12-13T06:12".to_time(:utc)   # => 2012-12-13 06:12:00 UTC
+  #   "12/13/2012".to_time               # => ArgumentError: argument out of range
   def to_time(form = :local)
     parts = Date._parse(self, false)
-    return if parts.empty?
+    used_keys = %i(year mon mday hour min sec sec_fraction offset)
+    return if (parts.keys & used_keys).empty?
 
     now = Time.now
     time = Time.new(
@@ -30,25 +34,25 @@ class String
       parts.fetch(:offset, form == :utc ? 0 : nil)
     )
 
-    form == :utc ? time.utc : time.getlocal
+    form == :utc ? time.utc : time.to_time
   end
 
   # Converts a string to a Date value.
   #
-  #   "1-1-2012".to_date   #=> Sun, 01 Jan 2012
-  #   "01/01/2012".to_date #=> Sun, 01 Jan 2012
-  #   "2012-12-13".to_date #=> Thu, 13 Dec 2012
-  #   "12/13/2012".to_date #=> ArgumentError: invalid date
+  #   "1-1-2012".to_date   # => Sun, 01 Jan 2012
+  #   "01/01/2012".to_date # => Sun, 01 Jan 2012
+  #   "2012-12-13".to_date # => Thu, 13 Dec 2012
+  #   "12/13/2012".to_date # => ArgumentError: invalid date
   def to_date
     ::Date.parse(self, false) unless blank?
   end
 
   # Converts a string to a DateTime value.
   #
-  #   "1-1-2012".to_datetime            #=> Sun, 01 Jan 2012 00:00:00 +0000
-  #   "01/01/2012 23:59:59".to_datetime #=> Sun, 01 Jan 2012 23:59:59 +0000
-  #   "2012-12-13 12:50".to_datetime    #=> Thu, 13 Dec 2012 12:50:00 +0000
-  #   "12/13/2012".to_datetime          #=> ArgumentError: invalid date
+  #   "1-1-2012".to_datetime            # => Sun, 01 Jan 2012 00:00:00 +0000
+  #   "01/01/2012 23:59:59".to_datetime # => Sun, 01 Jan 2012 23:59:59 +0000
+  #   "2012-12-13 12:50".to_datetime    # => Thu, 13 Dec 2012 12:50:00 +0000
+  #   "12/13/2012".to_datetime          # => ArgumentError: invalid date
   def to_datetime
     ::DateTime.parse(self, false) unless blank?
   end

data/lib/active_support/core_ext/string/exclude.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 class String
   # The inverse of <tt>String#include?</tt>. Returns true if the string
   # does not include the other string.
   #
-  #   "hello".exclude? "lo" #=> false
-  #   "hello".exclude? "ol" #=> true
-  #   "hello".exclude? ?h   #=> false
+  #   "hello".exclude? "lo" # => false
+  #   "hello".exclude? "ol" # => true
+  #   "hello".exclude? ?h   # => false
   def exclude?(string)
     !include?(string)
   end

data/lib/active_support/core_ext/string/filters.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class String
   # Returns the string, first removing all whitespace on both ends of
   # the string, and then changing remaining consecutive whitespace
@@ -13,10 +15,33 @@ class String
   end
 
   # Performs a destructive squish. See String#squish.
+  #   str = " foo   bar    \n   \t   boo"
+  #   str.squish!                         # => "foo bar boo"
+  #   str                                 # => "foo bar boo"
   def squish!
-    gsub!(/\A[[:space:]]+/, '')
-    gsub!(/[[:space:]]+\z/, '')
-    gsub!(/[[:space:]]+/, ' ')
+    gsub!(/[[:space:]]+/, " ")
+    strip!
+    self
+  end
+
+  # Returns a new string with all occurrences of the patterns removed.
+  #   str = "foo bar test"
+  #   str.remove(" test")                 # => "foo bar"
+  #   str.remove(" test", /bar/)          # => "foo "
+  #   str                                 # => "foo bar test"
+  def remove(*patterns)
+    dup.remove!(*patterns)
+  end
+
+  # Alters the string by removing all occurrences of the patterns.
+  #   str = "foo bar test"
+  #   str.remove!(" test", /bar/)         # => "foo "
+  #   str                                 # => "foo "
+  def remove!(*patterns)
+    patterns.each do |pattern|
+      gsub! pattern, ""
+    end
+
     self
   end
 
@@ -41,8 +66,8 @@ class String
   def truncate(truncate_at, options = {})
     return dup unless length > truncate_at
 
-    options[:omission] ||= '...'
-    length_with_room_for_omission = truncate_at - options[:omission].length
+    omission = options[:omission] || "..."
+    length_with_room_for_omission = truncate_at - omission.length
     stop = \
       if options[:separator]
         rindex(options[:separator], length_with_room_for_omission) || length_with_room_for_omission
@@ -50,6 +75,30 @@ class String
         length_with_room_for_omission
       end
 
-    "#{self[0...stop]}#{options[:omission]}"
+    "#{self[0, stop]}#{omission}"
+  end
+
+  # Truncates a given +text+ after a given number of words (<tt>words_count</tt>):
+  #
+  #   'Once upon a time in a world far far away'.truncate_words(4)
+  #   # => "Once upon a time..."
+  #
+  # Pass a string or regexp <tt>:separator</tt> to specify a different separator of words:
+  #
+  #   'Once<br>upon<br>a<br>time<br>in<br>a<br>world'.truncate_words(5, separator: '<br>')
+  #   # => "Once<br>upon<br>a<br>time<br>in..."
+  #
+  # The last characters will be replaced with the <tt>:omission</tt> string (defaults to "..."):
+  #
+  #   'And they found that many people were sleeping better.'.truncate_words(5, omission: '... (continued)')
+  #   # => "And they found that many... (continued)"
+  def truncate_words(words_count, options = {})
+    sep = options[:separator] || /\s+/
+    sep = Regexp.escape(sep.to_s) unless Regexp === sep
+    if self =~ /\A((?>.+?#{sep}){#{words_count - 1}}.+?)#{sep}.*/m
+      $1 + (options[:omission] || "...")
+    else
+      dup
+    end
   end
 end

data/lib/active_support/core_ext/string/indent.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 class String
   # Same as +indent+, except it indents the receiver in-place.
   #
   # Returns the indented string, or +nil+ if there was nothing to indent.
-  def indent!(amount, indent_string=nil, indent_empty_lines=false)
-    indent_string = indent_string || self[/^[ \t]/] || ' '
+  def indent!(amount, indent_string = nil, indent_empty_lines = false)
+    indent_string = indent_string || self[/^[ \t]/] || " "
     re = indent_empty_lines ? /^/ : /^(?!$)/
     gsub!(re, indent_string * amount)
   end
@@ -37,7 +39,7 @@ class String
   #   "foo\n\nbar".indent(2)            # => "  foo\n\n  bar"
   #   "foo\n\nbar".indent(2, nil, true) # => "  foo\n  \n  bar"
   #
-  def indent(amount, indent_string=nil, indent_empty_lines=false)
-    dup.tap {|_| _.indent!(amount, indent_string, indent_empty_lines)}
+  def indent(amount, indent_string = nil, indent_empty_lines = false)
+    dup.tap { |_| _.indent!(amount, indent_string, indent_empty_lines) }
   end
 end

data/lib/active_support/core_ext/string/inflections.rb

@@ -1,5 +1,7 @@
-require 'active_support/inflector/methods'
-require 'active_support/inflector/transliterate'
+# frozen_string_literal: true
+
+require "active_support/inflector/methods"
+require "active_support/inflector/transliterate"
 
 # String inflections define new methods on the String class to transform names for different purposes.
 # For instance, you can figure out the name of a table from the name of a class.
@@ -31,7 +33,7 @@ class String
   def pluralize(count = nil, locale = :en)
     locale = count if count.is_a?(Symbol)
     if count == 1
-      self
+      dup
     else
       ActiveSupport::Inflector.pluralize(self, locale)
     end
@@ -67,7 +69,7 @@ class String
   end
 
   # +safe_constantize+ tries to find a declared constant with the name specified
-  # in the string. It returns nil when the name is not in CamelCase
+  # in the string. It returns +nil+ when the name is not in CamelCase
   # or is not initialized.  See ActiveSupport::Inflector.safe_constantize
   #
   #   'Module'.safe_constantize  # => Module
@@ -92,6 +94,8 @@ class String
       ActiveSupport::Inflector.camelize(self, true)
     when :lower
       ActiveSupport::Inflector.camelize(self, false)
+    else
+      raise ArgumentError, "Invalid option, use either :upper or :lower."
     end
   end
   alias_method :camelcase, :camelize
@@ -100,12 +104,17 @@ class String
   # a nicer looking title. +titleize+ is meant for creating pretty output. It is not
   # used in the Rails internals.
   #
+  # The trailing '_id','Id'.. can be kept and capitalized by setting the
+  # optional parameter +keep_id_suffix+ to true.
+  # By default, this parameter is false.
+  #
   # +titleize+ is also aliased as +titlecase+.
   #
-  #   'man from the boondocks'.titleize # => "Man From The Boondocks"
-  #   'x-men: the last stand'.titleize  # => "X Men: The Last Stand"
-  def titleize
-    ActiveSupport::Inflector.titleize(self)
+  #   'man from the boondocks'.titleize                       # => "Man From The Boondocks"
+  #   'x-men: the last stand'.titleize                        # => "X Men: The Last Stand"
+  #   'string_ending_with_id'.titleize(keep_id_suffix: true)  # => "String Ending With Id"
+  def titleize(keep_id_suffix: false)
+    ActiveSupport::Inflector.titleize(self, keep_id_suffix: keep_id_suffix)
   end
   alias_method :titlecase, :titleize
 
@@ -128,8 +137,10 @@ class String
 
   # Removes the module part from the constant expression in the string.
   #
-  #   'ActiveRecord::CoreExtensions::String::Inflections'.demodulize # => "Inflections"
-  #   'Inflections'.demodulize                                       # => "Inflections"
+  #   'ActiveSupport::Inflector::Inflections'.demodulize # => "Inflections"
+  #   'Inflections'.demodulize                           # => "Inflections"
+  #   '::Inflections'.demodulize                         # => "Inflections"
+  #   ''.demodulize                                      # => ''
   #
   # See also +deconstantize+.
   def demodulize
@@ -162,41 +173,72 @@ class String
   #
   #   <%= link_to(@person.name, person_path) %>
   #   # => <a href="/person/1-donald-e-knuth">Donald E. Knuth</a>
-  def parameterize(sep = '-')
-    ActiveSupport::Inflector.parameterize(self, sep)
+  #
+  # To preserve the case of the characters in a string, use the +preserve_case+ argument.
+  #
+  #   class Person
+  #     def to_param
+  #       "#{id}-#{name.parameterize(preserve_case: true)}"
+  #     end
+  #   end
+  #
+  #   @person = Person.find(1)
+  #   # => #<Person id: 1, name: "Donald E. Knuth">
+  #
+  #   <%= link_to(@person.name, person_path) %>
+  #   # => <a href="/person/1-Donald-E-Knuth">Donald E. Knuth</a>
+  def parameterize(separator: "-", preserve_case: false)
+    ActiveSupport::Inflector.parameterize(self, separator: separator, preserve_case: preserve_case)
   end
 
   # Creates the name of a table like Rails does for models to table names. This method
   # uses the +pluralize+ method on the last word in the string.
   #
   #   'RawScaledScorer'.tableize # => "raw_scaled_scorers"
-  #   'egg_and_ham'.tableize     # => "egg_and_hams"
+  #   'ham_and_egg'.tableize     # => "ham_and_eggs"
   #   'fancyCategory'.tableize   # => "fancy_categories"
   def tableize
     ActiveSupport::Inflector.tableize(self)
   end
 
-  # Create a class name from a plural table name like Rails does for table names to models.
+  # Creates a class name from a plural table name like Rails does for table names to models.
   # Note that this returns a string and not a class. (To convert to an actual class
   # follow +classify+ with +constantize+.)
   #
-  #   'egg_and_hams'.classify # => "EggAndHam"
+  #   'ham_and_eggs'.classify # => "HamAndEgg"
   #   'posts'.classify        # => "Post"
-  #
-  # Singular names are not handled correctly.
-  #
-  #   'business'.classify # => "Busines"
   def classify
     ActiveSupport::Inflector.classify(self)
   end
 
-  # Capitalizes the first word, turns underscores into spaces, and strips '_id'.
+  # Capitalizes the first word, turns underscores into spaces, and (by default)strips a
+  # trailing '_id' if present.
   # Like +titleize+, this is meant for creating pretty output.
   #
-  #   'employee_salary'.humanize # => "Employee salary"
-  #   'author_id'.humanize       # => "Author"
-  def humanize
-    ActiveSupport::Inflector.humanize(self)
+  # The capitalization of the first word can be turned off by setting the
+  # optional parameter +capitalize+ to false.
+  # By default, this parameter is true.
+  #
+  # The trailing '_id' can be kept and capitalized by setting the
+  # optional parameter +keep_id_suffix+ to true.
+  # By default, this parameter is false.
+  #
+  #   'employee_salary'.humanize                    # => "Employee salary"
+  #   'author_id'.humanize                          # => "Author"
+  #   'author_id'.humanize(capitalize: false)       # => "author"
+  #   '_id'.humanize                                # => "Id"
+  #   'author_id'.humanize(keep_id_suffix: true)    # => "Author Id"
+  def humanize(capitalize: true, keep_id_suffix: false)
+    ActiveSupport::Inflector.humanize(self, capitalize: capitalize, keep_id_suffix: keep_id_suffix)
+  end
+
+  # Converts just the first character to uppercase.
+  #
+  #   'what a Lovely Day'.upcase_first # => "What a Lovely Day"
+  #   'w'.upcase_first                 # => "W"
+  #   ''.upcase_first                  # => ""
+  def upcase_first
+    ActiveSupport::Inflector.upcase_first(self)
   end
 
   # Creates a foreign key name from a class name.

data/lib/active_support/core_ext/string/inquiry.rb

@@ -1,4 +1,6 @@
-require 'active_support/string_inquirer'
+# frozen_string_literal: true
+
+require "active_support/string_inquirer"
 
 class String
   # Wraps the current string in the <tt>ActiveSupport::StringInquirer</tt> class,

data/lib/active_support/core_ext/string/multibyte.rb

@@ -1,5 +1,6 @@
-# encoding: utf-8
-require 'active_support/multibyte'
+# frozen_string_literal: true
+
+require "active_support/multibyte"
 
 class String
   # == Multibyte proxy
@@ -10,12 +11,12 @@ class String
   # encapsulates the original string. A Unicode safe version of all the String methods are defined on this proxy
   # class. If the proxy class doesn't respond to a certain method, it's forwarded to the encapsulated string.
   #
-  #   name = 'Claus Müller'
-  #   name.reverse # => "rell??M sualC"
-  #   name.length  # => 13
+  #   >> "lj".upcase
+  #   => "lj"
+  #   >> "lj".mb_chars.upcase.to_s
+  #   => "LJ"
   #
-  #   name.mb_chars.reverse.to_s # => "rellüM sualC"
-  #   name.mb_chars.length       # => 12
+  # NOTE: An above example is useful for pre Ruby 2.4. Ruby 2.4 supports Unicode case mappings.
   #
   # == Method chaining
   #
@@ -36,6 +37,13 @@ class String
     ActiveSupport::Multibyte.proxy_class.new(self)
   end
 
+  # Returns +true+ if string has utf_8 encoding.
+  #
+  #   utf_8_str = "some string".encode "UTF-8"
+  #   iso_str = "some string".encode "ISO-8859-1"
+  #
+  #   utf_8_str.is_utf8? # => true
+  #   iso_str.is_utf8?   # => false
   def is_utf8?
     case encoding
     when Encoding::UTF_8

data/lib/active_support/core_ext/string/output_safety.rb

@@ -1,39 +1,46 @@
-require 'erb'
-require 'active_support/core_ext/kernel/singleton_class'
+# frozen_string_literal: true
+
+require "erb"
+require "active_support/core_ext/kernel/singleton_class"
+require "active_support/core_ext/module/redefine_method"
+require "active_support/multibyte/unicode"
 
 class ERB
   module Util
-    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#39;' }
-    JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
-    HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/
-    JSON_ESCAPE_REGEXP = /[&"><]/
+    HTML_ESCAPE = { "&" => "&amp;",  ">" => "&gt;",   "<" => "&lt;", '"' => "&quot;", "'" => "&#39;" }
+    JSON_ESCAPE = { "&" => '\u0026', ">" => '\u003e', "<" => '\u003c', "\u2028" => '\u2028', "\u2029" => '\u2029' }
+    HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
+    JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
 
     # A utility method for escaping HTML tag characters.
     # This method is also aliased as <tt>h</tt>.
     #
-    # In your ERB templates, use this method to escape any unsafe content. For example:
-    #   <%=h @person.name %>
-    #
     #   puts html_escape('is a > 0 & a < 10?')
     #   # => is a &gt; 0 &amp; a &lt; 10?
     def html_escape(s)
-      s = s.to_s
-      if s.html_safe?
-        s
-      else
-        s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
-      end
+      unwrapped_html_escape(s).html_safe
     end
 
-    # Aliasing twice issues a warning "discarding old...". Remove first to avoid it.
-    remove_method(:h)
+    silence_redefinition_of_method :h
     alias h html_escape
 
     module_function :h
 
-    singleton_class.send(:remove_method, :html_escape)
+    singleton_class.silence_redefinition_of_method :html_escape
     module_function :html_escape
 
+    # HTML escapes strings but doesn't wrap them with an ActiveSupport::SafeBuffer.
+    # This method is not for public consumption! Seriously!
+    def unwrapped_html_escape(s) # :nodoc:
+      s = s.to_s
+      if s.html_safe?
+        s
+      else
+        CGI.escapeHTML(ActiveSupport::Multibyte::Unicode.tidy_bytes(s))
+      end
+    end
+    module_function :unwrapped_html_escape
+
     # A utility method for escaping HTML without affecting existing escaped entities.
     #
     #   html_escape_once('1 < 2 &amp; 3')
@@ -42,23 +49,67 @@ class ERB
     #   html_escape_once('&lt;&lt; Accept & Checkout')
     #   # => "&lt;&lt; Accept &amp; Checkout"
     def html_escape_once(s)
-      result = s.to_s.gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE)
+      result = ActiveSupport::Multibyte::Unicode.tidy_bytes(s.to_s).gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE)
       s.html_safe? ? result.html_safe : result
     end
 
     module_function :html_escape_once
 
-    # A utility method for escaping HTML entities in JSON strings
-    # using \uXXXX JavaScript escape sequences for string literals:
+    # A utility method for escaping HTML entities in JSON strings. Specifically, the
+    # &, > and < characters are replaced with their equivalent unicode escaped form -
+    # \u0026, \u003e, and \u003c. The Unicode sequences \u2028 and \u2029 are also
+    # escaped as they are treated as newline characters in some JavaScript engines.
+    # These sequences have identical meaning as the original characters inside the
+    # context of a JSON string, so assuming the input is a valid and well-formed
+    # JSON value, the output will have equivalent meaning when parsed:
+    #
+    #   json = JSON.generate({ name: "</script><script>alert('PWNED!!!')</script>"})
+    #   # => "{\"name\":\"</script><script>alert('PWNED!!!')</script>\"}"
+    #
+    #   json_escape(json)
+    #   # => "{\"name\":\"\\u003C/script\\u003E\\u003Cscript\\u003Ealert('PWNED!!!')\\u003C/script\\u003E\"}"
+    #
+    #   JSON.parse(json) == JSON.parse(json_escape(json))
+    #   # => true
+    #
+    # The intended use case for this method is to escape JSON strings before including
+    # them inside a script tag to avoid XSS vulnerability:
     #
-    #   json_escape('is a > 0 & a < 10?')
-    #   # => is a \u003E 0 \u0026 a \u003C 10?
+    #   <script>
+    #     var currentUser = <%= raw json_escape(current_user.to_json) %>;
+    #   </script>
     #
-    # Note that after this operation is performed the output is not
-    # valid JSON. In particular double quotes are removed:
+    # It is necessary to +raw+ the result of +json_escape+, so that quotation marks
+    # don't get converted to <tt>&quot;</tt> entities. +json_escape+ doesn't
+    # automatically flag the result as HTML safe, since the raw value is unsafe to
+    # use inside HTML attributes.
     #
-    #   json_escape('{"name":"john","created_at":"2010-04-28T01:39:31Z","id":1}')
-    #   # => {name:john,created_at:2010-04-28T01:39:31Z,id:1}
+    # If your JSON is being used downstream for insertion into the DOM, be aware of
+    # whether or not it is being inserted via +html()+. Most jQuery plugins do this.
+    # If that is the case, be sure to +html_escape+ or +sanitize+ any user-generated
+    # content returned by your JSON.
+    #
+    # If you need to output JSON elsewhere in your HTML, you can just do something
+    # like this, as any unsafe characters (including quotation marks) will be
+    # automatically escaped for you:
+    #
+    #   <div data-user-info="<%= current_user.to_json %>">...</div>
+    #
+    # WARNING: this helper only works with valid JSON. Using this on non-JSON values
+    # will open up serious XSS vulnerabilities. For example, if you replace the
+    # +current_user.to_json+ in the example above with user input instead, the browser
+    # will happily eval() that string as JavaScript.
+    #
+    # The escaping performed in this method is identical to those performed in the
+    # Active Support JSON encoder when +ActiveSupport.escape_html_entities_in_json+ is
+    # set to true. Because this transformation is idempotent, this helper can be
+    # applied even if +ActiveSupport.escape_html_entities_in_json+ is already true.
+    #
+    # Therefore, when you are unsure if +ActiveSupport.escape_html_entities_in_json+
+    # is enabled, or if you are unsure where your JSON string originated from, it
+    # is recommended that you always apply this helper (other libraries, such as the
+    # JSON gem, do not provide this kind of protection by default; also some gems
+    # might override +to_json+ to bypass Active Support's encoder).
     def json_escape(s)
       result = s.to_s.gsub(JSON_ESCAPE_REGEXP, JSON_ESCAPE)
       s.html_safe? ? result.html_safe : result
@@ -84,33 +135,32 @@ module ActiveSupport #:nodoc:
   class SafeBuffer < String
     UNSAFE_STRING_METHODS = %w(
       capitalize chomp chop delete downcase gsub lstrip next reverse rstrip
-      slice squeeze strip sub succ swapcase tr tr_s upcase prepend
+      slice squeeze strip sub succ swapcase tr tr_s upcase
     )
 
     alias_method :original_concat, :concat
     private :original_concat
 
+    # Raised when <tt>ActiveSupport::SafeBuffer#safe_concat</tt> is called on unsafe buffers.
     class SafeConcatError < StandardError
       def initialize
-        super 'Could not concatenate to the buffer because it is not html safe.'
+        super "Could not concatenate to the buffer because it is not html safe."
       end
     end
 
     def [](*args)
       if args.size < 2
         super
-      else
-        if html_safe?
-          new_safe_buffer = super
-
-          if new_safe_buffer
-            new_safe_buffer.instance_eval { @html_safe = true }
-          end
+      elsif html_safe?
+        new_safe_buffer = super
 
-          new_safe_buffer
-        else
-          to_str[*args]
+        if new_safe_buffer
+          new_safe_buffer.instance_variable_set :@html_safe, true
         end
+
+        new_safe_buffer
+      else
+        to_str[*args]
       end
     end
 
@@ -119,7 +169,7 @@ module ActiveSupport #:nodoc:
       original_concat(value)
     end
 
-    def initialize(*)
+    def initialize(str = "")
       @html_safe = true
       super
     end
@@ -134,28 +184,27 @@ module ActiveSupport #:nodoc:
     end
 
     def concat(value)
-      if !html_safe? || value.html_safe?
-        super(value)
-      else
-        super(ERB::Util.h(value))
-      end
+      super(html_escape_interpolated_argument(value))
     end
     alias << concat
 
+    def prepend(value)
+      super(html_escape_interpolated_argument(value))
+    end
+
     def +(other)
       dup.concat(other)
     end
 
     def %(args)
-      args = Array(args).map do |arg|
-        if !html_safe? || arg.html_safe?
-          arg
-        else
-          ERB::Util.h(arg)
-        end
+      case args
+      when Hash
+        escaped_args = Hash[args.map { |k, arg| [k, html_escape_interpolated_argument(arg)] }]
+      else
+        escaped_args = Array(args).map { |arg| html_escape_interpolated_argument(arg) }
       end
 
-      self.class.new(super(args))
+      self.class.new(super(escaped_args))
     end
 
     def html_safe?
@@ -171,11 +220,11 @@ module ActiveSupport #:nodoc:
     end
 
     def encode_with(coder)
-      coder.represent_scalar nil, to_str
+      coder.represent_object nil, to_str
     end
 
     UNSAFE_STRING_METHODS.each do |unsafe_method|
-      if 'String'.respond_to?(unsafe_method)
+      if unsafe_method.respond_to?(unsafe_method)
         class_eval <<-EOT, __FILE__, __LINE__ + 1
           def #{unsafe_method}(*args, &block)       # def capitalize(*args, &block)
             to_str.#{unsafe_method}(*args, &block)  #   to_str.capitalize(*args, &block)
@@ -188,10 +237,21 @@ module ActiveSupport #:nodoc:
         EOT
       end
     end
+
+    private
+
+      def html_escape_interpolated_argument(arg)
+        (!html_safe? || arg.html_safe?) ? arg : CGI.escapeHTML(arg.to_s)
+      end
   end
 end
 
 class String
+  # Marks a string as trusted safe. It will be inserted into HTML with no
+  # additional escaping performed. It is your responsibility to ensure that the
+  # string contains no malicious content. This method is equivalent to the
+  # +raw+ helper in views. It is recommended that you use +sanitize+ instead of
+  # this method. It should never be called on user input.
   def html_safe
     ActiveSupport::SafeBuffer.new(self)
   end