cgi 0.5.1 → 0.5.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f7c88bb08e51fd6b7abd1855b87d05c8af6b8f4e89865f0315f512badcddcb9
-  data.tar.gz: fbe294b63d488ae16c123d325b2251a9561da5b474105a0ecbb1ecd880c4cdb6
+  metadata.gz: 9c5aa5b0794db539b4fa7b8a3da82182b587829ac7de10a444ef52447eef3811
+  data.tar.gz: 9a90fdb11ac132bd2c5693fa34c9ffdd5f492e66961561ef51bfab109e1deff0
 SHA512:
-  metadata.gz: 9d4837752a514f02e88f8f3673fa0b0b9a31195df062d79c9d5b51175288f5053409fc337b1613ad27393b92c4394663d4cfd355d30c555b565f79a9102e2feb
-  data.tar.gz: 0c465bae726d291b6829b6f0bf9f86d05976bf61529dc8190da4fd73022b37924c7901c3b29fb3cddb7760829aa24ac5cd6999c1f1ad9b4ec825fe0afc63ef19
+  metadata.gz: aaa90e2e539670dd03dfea7dcc26cb6382eef97fd783bcbc99f509018492386e7160a3944f52eb6fae589bfec628c5d935d5226412243d3267d7781945dd6f70
+  data.tar.gz: e9b846ecf59d6834dc02e7f1e1f5eb47ca845f2f85451a85c54c088aa547d01daf3a65651d61d769a86e30da2a242ea826bb231e83cf2421c811b4de67d07144

data/README.md

@@ -22,11 +22,15 @@ gem 'cgi'
 
 And then execute:
 
-    $ bundle
+```bash
+bundle
+```
 
 Or install it yourself as:
 
-    $ gem install cgi
+```bash
+gem install cgi
+```
 
 ## Usage
 
@@ -73,7 +77,6 @@ db.transaction do
 end
 ```
 
-
 ### Restore form values from file
 
 ```ruby

data/lib/cgi/core.rb

@@ -72,91 +72,267 @@ class CGI
 
   private :env_table, :stdinput, :stdoutput
 
-  # Create an HTTP header block as a string.
-  #
   # :call-seq:
-  #   http_header(content_type_string="text/html")
-  #   http_header(headers_hash)
-  #
-  # Includes the empty line that ends the header block.
+  #    http_header(content_type = 'text/html') -> string
+  #    http_header(headers) -> string
+  #
+  # Creates and returns an HTTP header section as a multi-line string.
+  #
+  # The string always includes:
+  #
+  # - Header +Content-Type+ (with a default value if none given).
+  # - A trailing newline, which delimits the header block;
+  #   that last line is omitted from the examples below.
+  #
+  # <b>In Brief</b>
+  #
+  #   headers = {
+  #     'charset' => 'iso-2022-jp',
+  #     'connection' => 'keep-alive',
+  #     'cookie' => 'foo=0',
+  #     'expires' => Time.now + (60 * 60 * 24 * 365),
+  #     'language' => 'en-US, en-CA',
+  #     'length' =>  4096,
+  #     'nph' => true,
+  #     'server' => 'Apache/2.4.1 (Unix)',
+  #     'status' => 'OK',
+  #     'type' => 'text/xml',
+  #     MyHeader: true
+  #   }
+  #
+  #   puts cgi.http_header(headers)
+  #   HTTP/1.0 200 OK
+  #   Date: Mon, 01 Dec 2025 22:08:22 GMT
+  #   Server: Apache/2.4.1 (Unix)
+  #   Connection: keep-alive
+  #   Content-Type: text/xml; charset=iso-2022-jp
+  #   Content-Length: 4096
+  #   Content-Language: en-US, en-CA
+  #   Expires: Tue, 01 Dec 2026 22:05:30 GMT
+  #   Set-Cookie: foo=0
+  #   MyHeader: true
+  #
+  #   headers.delete('nph')
+  #
+  #   puts cgi.http_header(headers)
+  #   Status: 200 OK
+  #   Server: Apache/2.4.1 (Unix)
+  #   Connection: keep-alive
+  #   Content-Type: text/xml; charset=iso-2022-jp
+  #   Content-Length: 4096
+  #   Content-Language: en-US, en-CA
+  #   Expires: Tue, 01 Dec 2026 22:05:30 GMT
+  #   Set-Cookie: foo=0
+  #   MyHeader: true
+  #
+  # <b>Arguments</b>
+  #
+  # With no argument given,
+  # includes only header +Content-Type+ with its default value <tt>'text/html'</tt>:
+  #
+  #   puts cgi.http_header
+  #   Content-Type: text/html
+  #
+  # With string argument +content_type+ given,
+  # includes header +Content-Type+ with the given value:
   #
-  # +content_type_string+::
-  #   If this form is used, this string is the <tt>Content-Type</tt>
-  # +headers_hash+::
-  #   A Hash of header values. The following header keys are recognized:
-  #
-  #   type:: The Content-Type header.  Defaults to "text/html"
-  #   charset:: The charset of the body, appended to the Content-Type header.
-  #   nph:: A boolean value.  If true, prepend protocol string and status
-  #         code, and date; and sets default values for "server" and
-  #         "connection" if not explicitly set.
-  #   status::
-  #     The HTTP status code as a String, returned as the Status header.  The
-  #     values are:
-  #
-  #     OK:: 200 OK
-  #     PARTIAL_CONTENT:: 206 Partial Content
-  #     MULTIPLE_CHOICES:: 300 Multiple Choices
-  #     MOVED:: 301 Moved Permanently
-  #     REDIRECT:: 302 Found
-  #     NOT_MODIFIED:: 304 Not Modified
-  #     BAD_REQUEST:: 400 Bad Request
-  #     AUTH_REQUIRED:: 401 Authorization Required
-  #     FORBIDDEN:: 403 Forbidden
-  #     NOT_FOUND:: 404 Not Found
-  #     METHOD_NOT_ALLOWED:: 405 Method Not Allowed
-  #     NOT_ACCEPTABLE:: 406 Not Acceptable
-  #     LENGTH_REQUIRED:: 411 Length Required
-  #     PRECONDITION_FAILED:: 412 Precondition Failed
-  #     SERVER_ERROR:: 500 Internal Server Error
-  #     NOT_IMPLEMENTED:: 501 Method Not Implemented
-  #     BAD_GATEWAY:: 502 Bad Gateway
-  #     VARIANT_ALSO_VARIES:: 506 Variant Also Negotiates
-  #
-  #   server:: The server software, returned as the Server header.
-  #   connection:: The connection type, returned as the Connection header (for
-  #                instance, "close".
-  #   length:: The length of the content that will be sent, returned as the
-  #            Content-Length header.
-  #   language:: The language of the content, returned as the Content-Language
-  #              header.
-  #   expires:: The time on which the current content expires, as a +Time+
-  #             object, returned as the Expires header.
-  #   cookie::
-  #     A cookie or cookies, returned as one or more Set-Cookie headers.  The
-  #     value can be the literal string of the cookie; a CGI::Cookie object;
-  #     an Array of literal cookie strings or Cookie objects; or a hash all of
-  #     whose values are literal cookie strings or Cookie objects.
-  #
-  #     These cookies are in addition to the cookies held in the
-  #     @output_cookies field.
-  #
-  #   Other headers can also be set; they are appended as key: value.
-  #
-  # Examples:
-  #
-  #   http_header
-  #     # Content-Type: text/html
+  #   puts cgi.http_header('text/xml')
+  #   Content-Type: text/xml
+  #
+  # With hash argument +headers+ given,
+  # includes a header for hash entry, whose name is based on the entry's key,
+  # and whose value is the entry's value.
+  #
+  # <i>Recognized Keys</i>
+  #
+  # The following keys are recognized;
+  # each is a lowercase string:
+  #
+  # <tt>'charset'</tt>::
+  #   The character set of the body; appended to the +Content-Type+ header:
+  #
+  #     puts cgi.http_header('charset' => 'iso-2022-jp')
+  #     Content-Type: text/html; charset=iso-2022-jp
+  #
+  # <tt>'connection'</tt>::
+  #   Sets header +Connection+ to the given string:
+  #
+  #     puts cgi.http_header('connection' => 'keep-alive')
+  #     Connection: keep-alive
+  #     Content-Type: text/html
+  #
+  # <tt>'cookie'</tt>::
+  #   Sets one or more +Set-Cookie+ headers to the given value, which may be:
+  #
+  #   - String cookie.
+  #   - CGI::Cookie object.
+  #   - Array of string cookies and CGI::Cookie objects.
+  #   - A hash whose values are string cookies and CGI::Cookie objects
+  #     (the keys are not used).
+  #
+  #   Examples:
+  #
+  #     foo_string = 'foo=0'
+  #     bar_string = 'bar=1'
+  #     foo_cookie = CGI::Cookie.new('foo', '0')
+  #     bar_cookie = CGI::Cookie.new('bar', '1')
+  #
+  #     puts cgi.http_header('cookie' => foo_string)
+  #     Content-Type: text/html
+  #     Set-Cookie: foo=0
+  #
+  #     puts cgi.http_header('cookie' => foo_cookie)
+  #     Content-Type: text/html
+  #     Set-Cookie: foo=0; path=
+  #
+  #     puts cgi.http_header('cookie' => [foo_cookie, bar_string])
+  #     Content-Type: text/html
+  #     Set-Cookie: foo=0; path=
+  #     Set-Cookie: bar=1
+  #
+  #     puts cgi.http_header('cookie' => {foo: foo_cookie, bar: bar_string})
+  #     Content-Type: text/html
+  #     Set-Cookie: foo=0; path=
+  #     Set-Cookie: bar=1
+  #
+  #   These cookies are in addition to the cookies held
+  #   in the <tt>@output_cookies</tt> variable.
+  #
+  # <tt>'expires'</tt>::
+  #   Sets header +Expires+ to the given time,
+  #   which must be a {Time}[https://docs.ruby-lang.org/en/master/Time.html] object:
+  #
+  #     puts cgi.http_header('expires' => Time.now + (60 * 60 * 24 * 365))
+  #     Content-Type: text/html
+  #     Expires: Tue, 01 Dec 2026 23:42:37 GMT
+  #
+  # <tt>'language'</tt>::
+  #   Sets header +Content-Language+ to the given string:
+  #
+  #     puts cgi.http_header('language' => 'en-US, en-CA')
+  #     Content-Type: text/html
+  #     Content-Language: en-US, en-CA
+  #
+  # <tt>'length'</tt>::
+  #   Sets header +Content-Length+ to the given value,
+  #   which may be an integer or a string:
+  #
+  #     puts cgi.http_header('length' =>  4096)
+  #     Content-Type: text/html
+  #     Content-Length: 4096
   #
-  #   http_header("text/plain")
-  #     # Content-Type: text/plain
+  #     puts cgi.http_header('length' =>  '4096')
+  #     Content-Type: text/html
+  #     Content-Length: 4096
   #
-  #   http_header("nph"        => true,
-  #               "status"     => "OK",  # == "200 OK"
-  #                 # "status"     => "200 GOOD",
-  #               "server"     => ENV['SERVER_SOFTWARE'],
-  #               "connection" => "close",
-  #               "type"       => "text/html",
-  #               "charset"    => "iso-2022-jp",
-  #                 # Content-Type: text/html; charset=iso-2022-jp
-  #               "length"     => 103,
-  #               "language"   => "ja",
-  #               "expires"    => Time.now + 30,
-  #               "cookie"     => [cookie1, cookie2],
-  #               "my_header1" => "my_value",
-  #               "my_header2" => "my_value")
+  # <tt>'nph'</tt>::
+  #   If +true+:
+  #
+  #   - Adds protocol string and status code as first line.
+  #   - Adds date as second line.
+  #   - Adds headers +Server+ with no value,
+  #     and +Connection+ with default value <tt>'close'</tt>;
+  #     either or both values may be overridden with explicit values.
+  #
+  #   Examples:
+  #
+  #     puts cgi.http_header('nph' => true)
+  #     HTTP/1.0 200 OK
+  #     Date: Mon, 01 Dec 2025 19:42:22 GMT
+  #     Server:
+  #     Connection: close
+  #     Content-Type: text/html
+  #
+  #     puts cgi.http_header('nph' => true, 'server' => 'Apache/2.4.1 (Unix)', 'connection' => 'keep-alive')
+  #     HTTP/1.0 200 OK
+  #     Date: Mon, 01 Dec 2025 20:00:41 GMT
+  #     Server: Apache/2.4.1 (Unix)
+  #     Connection: keep-alive
+  #     Content-Type: text/html
+  #
+  # <tt>'server'</tt>::
+  #   Sets header +Server+ to the given string:
+  #
+  #     puts cgi.http_header('server' => 'Apache/2.4.1 (Unix)')
+  #     Server: Apache/2.4.1 (Unix)
+  #     Content-Type: text/html
+  #
+  # <tt>'status'</tt>::
+  #   Sets header +Status+ to the given string:
+  #
+  #     puts cgi.http_header('status' => '666 MyVeryOwnStatus')
+  #     Status: 666 MyVeryOwnStatus
+  #     Content-Type: text/html
+  #
+  #   If the given string is a key in the hash constant +CGI::HTTP_STATUS+,
+  #   the status becomes the value for that key:
+  #
+  #     CGI::HTTP_STATUS
+  #     # =>
+  #     {"OK" => "200 OK",
+  #      "PARTIAL_CONTENT" => "206 Partial Content",
+  #      "MULTIPLE_CHOICES" => "300 Multiple Choices",
+  #      "MOVED" => "301 Moved Permanently",
+  #      "REDIRECT" => "302 Found",
+  #      "NOT_MODIFIED" => "304 Not Modified",
+  #      "BAD_REQUEST" => "400 Bad Request",
+  #      "AUTH_REQUIRED" => "401 Authorization Required",
+  #      "FORBIDDEN" => "403 Forbidden",
+  #      "NOT_FOUND" => "404 Not Found",
+  #      "METHOD_NOT_ALLOWED" => "405 Method Not Allowed",
+  #      "NOT_ACCEPTABLE" => "406 Not Acceptable",
+  #      "LENGTH_REQUIRED" => "411 Length Required",
+  #      "PRECONDITION_FAILED" => "412 Precondition Failed",
+  #      "SERVER_ERROR" => "500 Internal Server Error",
+  #      "NOT_IMPLEMENTED" => "501 Method Not Implemented",
+  #      "BAD_GATEWAY" => "502 Bad Gateway",
+  #      "VARIANT_ALSO_VARIES" => "506 Variant Also Negotiates"}
+  #
+  #     puts cgi.http_header('status' => 'OK')
+  #     Status: 200 OK
+  #     Content-Type: text/html
+  #
+  #     puts cgi.http_header('status' => 'NOT_FOUND')
+  #     Status: 404 Not Found
+  #     Content-Type: text/html
+  #
+  # <tt>'type'</tt>::
+  #   Sets +Content-Type+, overriding the default value <tt>'text/html'</tt>:
+  #
+  #     puts cgi.http_header('type' => 'text/xml')
+  #     Content-Type: text/xml
+  #
+  # <i>Unrecognized Keys</i>
+  #
+  # Headers may also be set for unrecognized keys;
+  # an unrecognized key becomes a header name with the given value:
+  #
+  #   puts cgi.http_header('length' => 0)  # Recognized key (lowercase string).
+  #   Content-Type: text/html
+  #   Content-Length: 0
+  #
+  #   puts cgi.http_header('Length' => 0)  # Unrecognized key (string key not lowercase).
+  #   Content-Type: text/html
+  #   Length: 0
+  #
+  #   puts cgi.http_header(length: 0)      # Unrecognized key (symbol key not string)
+  #   Content-Type: text/html
+  #   length: 0
   #
   # This method does not perform charset conversion.
+  #
+  # It's best to use this method (CGI#http_header), not its aliased method +header+,
+  # which is provided only for backward compatibility.
+  #
+  # Method CGI#http_header is preferred because when +tag_maker+ is <tt>'html5'</tt>,
+  # calling method +header+ generates an HTML +header+ element:
+  #
+  #   cgi = CGI.new(tag_maker: 'html5')
+  #   puts cgi.http_header  # Works as expected.
+  #   Content-Type: text/html
+  #   puts cgi.header       # Maybe a surprise.
+  #   <HEADER></HEADER>
+  #
   def http_header(options='text/html')
     if options.is_a?(String)
       content_type = options
@@ -481,7 +657,7 @@ class CGI
 
     ##
     # Parses multipart form elements according to
-    #   http://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.2
+    #   https://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.2
     #
     # Returns a hash of multipart form parameters with bodies of type StringIO or
     # Tempfile depending on whether the multipart form element exceeds 10 KB
@@ -662,13 +838,16 @@ class CGI
     # Handles multipart forms (in particular, forms that involve file uploads).
     # Reads query parameters in the @params field, and cookies into @cookies.
     def initialize_query()
+      content_length = env_table['CONTENT_LENGTH']
+      content_length = nil if content_length == ''
       if ("POST" == env_table['REQUEST_METHOD']) and
         %r|\Amultipart/form-data.*boundary=\"?([^\";,]+)\"?| =~ env_table['CONTENT_TYPE']
         current_max_multipart_length = @max_multipart_length.respond_to?(:call) ? @max_multipart_length.call : @max_multipart_length
         raise StandardError.new("too large multipart data.") if env_table['CONTENT_LENGTH'].to_i > current_max_multipart_length
+        raise StandardError.new("no content length for multipart data.") if content_length.nil?
         boundary = $1.dup
         @multipart = true
-        @params = read_multipart(boundary, Integer(env_table['CONTENT_LENGTH']))
+        @params = read_multipart(boundary, Integer(content_length))
       else
         @multipart = false
         @params = CGI.parse(
@@ -681,7 +860,11 @@ class CGI
                       end
                     when "POST"
                       stdinput.binmode if defined? stdinput.binmode
-                      stdinput.read(Integer(env_table['CONTENT_LENGTH'])) or ''
+                      if content_length.nil?
+                        stdinput.read or ''
+                      else
+                        stdinput.read(Integer(content_length)) or ''
+                      end
                     else
                       read_from_cmdline
                     end.dup.force_encoding(@accept_charset)
@@ -758,12 +941,75 @@ class CGI
   #
   @@accept_charset="UTF-8" if false # needed for rdoc?
 
-  # Return the accept character set for all new CGI instances.
+  # :call-seq:
+  #   CGI.accept_charset -> encoding
+  #
+  # Returns the default accept character set to be used for new \CGI instances;
+  # see CGI.accept_charset=.
   def self.accept_charset
     @@accept_charset
   end
 
-  # Set the accept character set for all new CGI instances.
+  # :call-seq:
+  #    CGI.accept_charset = encoding
+  #
+  # Sets the default accept character set to be used for new \CGI instances;
+  # returns the argument.
+  #
+  # The argument may be an Encoding object or an Encoding name;
+  # see {Encodings}[https://docs.ruby-lang.org/en/master/language/encodings_rdoc.html]:
+  #
+  #   # The initial value.
+  #   CGI.accept_charset # => #<Encoding:UTF-8>
+  #   CGI.new
+  #   # =>
+  #   #<CGI:0x0000018991db6ae8
+  #    @accept_charset=#<Encoding:UTF-8>,
+  #    @accept_charset_error_block=nil,
+  #    @cookies={},
+  #    @max_multipart_length=134217728,
+  #    @multipart=false,
+  #    @options={accept_charset: #<Encoding:UTF-8>, max_multipart_length: 134217728},
+  #    @output_cookies=nil,
+  #    @output_hidden=nil,
+  #    @params={}>
+  #
+  #   # Set by Encoding name.
+  #   CGI.accept_charset = 'US-ASCII' # => "US-ASCII"
+  #   CGI.new
+  #   # =>
+  #   #<CGI:0x0000018991cf4100
+  #    @accept_charset="US-ASCII",
+  #    @accept_charset_error_block=nil,
+  #    @cookies={},
+  #    @max_multipart_length=134217728,
+  #    @multipart=false,
+  #    @options={accept_charset: "US-ASCII", max_multipart_length: 134217728},
+  #    @output_cookies=nil,
+  #    @output_hidden=nil,
+  #    @params={}>
+  #
+  #   # Set by Encoding object.
+  #   CGI.accept_charset = Encoding::ASCII_8BIT # => #<Encoding:BINARY (ASCII-8BIT)>
+  #   CGI.new
+  #   # =>
+  #   #<CGI:0x0000018991cfc800
+  #    @accept_charset=#<Encoding:BINARY (ASCII-8BIT)>,
+  #    @accept_charset_error_block=nil,
+  #    @cookies={},
+  #    @max_multipart_length=134217728,
+  #    @multipart=false,
+  #    @options={accept_charset: #<Encoding:BINARY (ASCII-8BIT)>, max_multipart_length: 134217728},
+  #    @output_cookies=nil,
+  #    @output_hidden=nil,
+  #    @params={}>
+  #
+  # The given encoding is not checked in this method,
+  # but if it is invalid, a call to CGI.new will fail:
+  #
+  #   CGI.accept_charset = 'foo'
+  #   CGI.new  # Raises ArgumentError: unknown encoding name - foo
+  #
   def self.accept_charset=(accept_charset)
     @@accept_charset=accept_charset
   end
@@ -803,16 +1049,18 @@ class CGI
   # With no argument and no block given, returns a new \CGI object with default values:
   #
   #   cgi = CGI.new
-  #   puts cgi.pretty_inspect
-  #   #<CGI:0x000002b0ea237bc8
-  #   @accept_charset=#<Encoding:UTF-8>,
-  #   @accept_charset_error_block=nil,
-  #   @cookies={},
-  #   @max_multipart_length=134217728,
-  #   @multipart=false,
-  #   @output_cookies=nil,
-  #   @output_hidden=nil,
-  #   @params={}>
+  #   cgi
+  #   # =>
+  #   #<CGI:0x00000189917aff00
+  #    @accept_charset=#<Encoding:UTF-8>,
+  #    @accept_charset_error_block=nil,
+  #    @cookies={},
+  #    @max_multipart_length=134217728,
+  #    @multipart=false,
+  #    @options={accept_charset: #<Encoding:UTF-8>, max_multipart_length: 134217728},
+  #    @output_cookies=nil,
+  #    @output_hidden=nil,
+  #    @params={}>
   #
   # With hash argument +options+ given and no block given,
   # returns a new \CGI object with the given options.
@@ -852,27 +1100,50 @@ class CGI
   #       CGI.new(max_multipart_length: -> {check_filesystem})
   #
   #   If the option is not given, the default is +134217728+, specifying a maximum size of 128 megabytes.
-#
-#   <em>Note:</em> This option configures internal behavior only.
-#   There is no public method to retrieve this value after initialization.
+  #
+  #   <em>Note:</em> This option configures internal behavior only.
+  #   There is no public method to retrieve this value after initialization.
   #
   # - <tt>tag_maker: _html_version_</tt>:
-  #   specifies which version of HTML to use in generating tags.
+  #   specifies a version of HTML;
+  #   this determines which tag-generating instance methods
+  #   (such as +html+, +head+, +body+, etc.) are to be loaded.
   #
   #   Value _html_version_ may be one of:
   #
-  #   - <tt>'html3'</tt>: {HTML version 3}[https://en.wikipedia.org/wiki/HTML#HTML_3].
-  #   - <tt>'html4'</tt>: {HTML version 4}[https://en.wikipedia.org/wiki/HTML#HTML_4].
-  #   - <tt>'html4Tr'</tt>: HTML 4.0 Transitional.
-  #   - <tt>'html4Fr'</tt>: HTML 4.0 with Framesets.
-  #   - <tt>'html5'</tt>: {HTML version 5}[https://en.wikipedia.org/wiki/HTML#HTML_5].
+  #   - <tt>'html3'</tt>: {HTML version 3}[https://www.w3.org/MarkUp/html3/Contents.html].
+  #   - <tt>'html4'</tt>: {HTML version 4}[https://www.w3.org/TR/html4].
+  #   - <tt>'html4Tr'</tt>: {HTML 4.0 Transitional}[https://www.w3.org/TR/html4/sgml/loosedtd.html].
+  #   - <tt>'html4Fr'</tt>: {HTML 4.0 with Framesets}[https://www.w3.org/TR/html4/present/frames.html].
+  #   - <tt>'html5'</tt>: {HTML version 5}[https://html.spec.whatwg.org/multipage].
   #
   #   Example:
   #
   #     CGI.new(tag_maker: 'html5')
   #
-  #   If the option is not given,
-  #   no HTML generation methods are loaded.
+  #   If the option is not given (or if an invalid value is given),
+  #   no tag-generating methods are loaded.
+  #
+  #   Examples:
+  #
+  #     CGI.new.respond_to?(:html)                       # => false  # Tag-generating methods not loaded.
+  #     CGI.new(tag_maker: 'html3').respond_to?(:html)   # => true   # Tag-generating methods loaded.
+  #     # Tag 'button' is new in HTML 4.
+  #     CGI.new(tag_maker: 'html3').respond_to?(:button) # => false
+  #     CGI.new(tag_maker: 'html4').respond_to?(:button) # => true
+  #     # Tag 'canvas' is new in HTML 5.
+  #     CGI.new(tag_maker: 'html4').respond_to?(:canvas) # => false
+  #     CGI.new(tag_maker: 'html5').respond_to?(:canvas) # => true
+  #     # Value is case-sensitive.
+  #     CGI.new(tag_maker: 'HTML4').respond_to?(:html)   # => false
+  #
+  #   You can determine exactly which methods have been loaded;
+  #   this example captures the methods loaded by <tt>'html4'</tt>:
+  #
+  #     methods_loaded = CGI.new('html4').methods - CGI.new.methods
+  #     methods_loaded.size # => 98
+  #     methods_loaded.sort.take(10)
+  #     # => [:a, :abbr, :acronym, :address, :area, :b, :base, :bdo, :big, :blockquote]
   #
   # With string argument +tag_maker+ given as _tag_maker_ and no block given,
   # equivalent to <tt>CGI.new(tag_maker: _tag_maker_)</tt>:
@@ -890,6 +1161,28 @@ class CGI
   # from the command line or (failing that) from standard input;
   # returns a new \CGI object.
   #
+  # Parameters from command line:
+  #
+  #   $ cat t.rb
+  #   require 'cgi'
+  #   cgi = CGI.new
+  #   p cgi.params
+  #   ruby t.rb foo=0 bar=1 foo=2 bar=3
+  #   {"foo" => ["0", "2"], "bar" => ["1", "3"]}
+  #
+  # Parameters from standard input:
+  #
+  #   cgi = CGI.new
+  #   (offline mode: enter name=value pairs on standard input)
+  #   foo=0
+  #   bar=1
+  #   ^D
+  #   cgi.params
+  #   # => {"foo" => ["0"], "bar" => ["1"]}
+  #
+  # The end-of-file character is Ctrl-D on a Unix-like system (as above),
+  # or Ctrl-Z on Windows.
+  #
   # Otherwise, cookies and other parameters are parsed automatically from the standard CGI locations,
   # which vary according to the request method.
   #
@@ -911,7 +1204,7 @@ class CGI
   #
   # In this example, the proc simply saves the error:
   #
-  #   encoding_errors={}
+  #   encoding_errors = {}
   #   CGI.new(accept_charset: 'EUC-JP') do |name,value|
   #     encoding_errors[name] = value
   #   end

data/lib/cgi/escape.rb

@@ -132,41 +132,32 @@ module CGI::Escape
                 end
     string = string.b
     string.gsub!(/&(apos|amp|quot|gt|lt|\#[0-9]+|\#[xX][0-9A-Fa-f]+);/) do
-      match = $1.dup
+      match = $1
       case match
       when 'apos'                then "'"
       when 'amp'                 then '&'
       when 'quot'                then '"'
       when 'gt'                  then '>'
       when 'lt'                  then '<'
-      when /\A#0*(\d+)\z/
-        n = $1.to_i
-        if n < charlimit
-          n.chr(enc)
-        else
-          "&##{$1};"
-        end
-      when /\A#x([0-9a-f]+)\z/i
-        n = $1.hex
-        if n < charlimit
-          n.chr(enc)
+      else
+        # Numeric character reference. Decode into the binary buffer so that a
+        # non-ASCII byte already present in it never triggers an encoding
+        # compatibility error on concatenation; the trailing force_encoding
+        # re-tags the whole buffer. This mirrors the C extension's
+        # optimized_unescape_html.
+        n = match.start_with?('#x', '#X') ? match[2..-1].hex : match[1..-1].to_i
+        if n >= charlimit
+          "&#{match};"            # out of range: keep the reference verbatim
+        elsif charlimit > 256
+          [n].pack('U').b         # UTF-8: code point bytes, surrogates included (like rb_enc_mbcput)
         else
-          "&#x#{$1};"
+          n.chr.b                 # ISO-8859-1 / ASCII: single byte
         end
-      else
-        "&#{match};"
       end
     end
     string.force_encoding enc
   end
 
-  # Synonym for CGI.escapeHTML(str)
-  alias escape_html escapeHTML
-  alias h escapeHTML
-
-  # Synonym for CGI.unescapeHTML(str)
-  alias unescape_html unescapeHTML
-
   # TruffleRuby runs the pure-Ruby variant faster, do not use the C extension there
   unless RUBY_ENGINE == 'truffleruby'
     begin
@@ -175,6 +166,14 @@ module CGI::Escape
     end
   end
 
+  # Aliases must be defined on EscapeExt so they resolve to the C methods.
+  target = defined?(CGI::EscapeExt) && CGI::EscapeExt.method_defined?(:escapeHTML) ? CGI::EscapeExt : self
+  target.module_eval do
+    alias escape_html escapeHTML
+    alias h escapeHTML
+    alias unescape_html unescapeHTML
+  end
+
   # Escape only the tags of certain HTML elements in +string+.
   #
   # Takes an element or elements or array of elements.  Each element

data/lib/cgi/session.rb

@@ -206,19 +206,28 @@ class CGI
     #          on Unix systems).
     # prefix:: the prefix to add to the session id when generating
     #          the filename for this session's FileStore file.
-    #          Defaults to "cgi_sid_".
+    #          Defaults to the empty string.
     # suffix:: the prefix to add to the session id when generating
     #          the filename for this session's FileStore file.
     #          Defaults to the empty string.
+    # digest:: the digest algorithm to hash the session id when
+    #          generating the filename for this session's FileStore
+    #          file.  Defaults to "SHA256".
+    # length:: the length of the session id part of the filestore,
+    #          excluding +prefix+ and +suffix+ parts.  Defaults to 16.
     def new_store_file(option={}) # :nodoc:
       dir = option['tmpdir'] || Dir::tmpdir
       prefix = option['prefix']
       suffix = option['suffix']
-      require 'digest'
-      sha256 = Digest::SHA256.hexdigest(session_id)[0,16]
+      algorithm = option['digest'] || 'SHA256'
+      if String === algorithm
+        require 'digest'
+        algorithm = Digest(algorithm)
+      end
+      digest = algorithm.hexdigest(session_id)[0, option['length'] || 16]
       path = dir+"/"
       path << prefix if prefix
-      path << sha256
+      path << digest
       path << suffix if suffix
       if File::exist? path
         hash = nil
@@ -410,6 +419,9 @@ class CGI
       # suffix:: the prefix to add to the session id when generating
       #          the filename for this session's FileStore file.
       #          Defaults to the empty string.
+      # digest:: the digest algorithm to hash the session id when
+      #          generating the filename for this session's FileStore
+      #          file.  Defaults to "MD5".
       #
       # This session's FileStore file will be created if it does
       # not exist, or opened if it does.

data/lib/cgi.rb

@@ -26,7 +26,7 @@
 # The file CGI::Session provides session management functionality; see that
 # class for more details.
 #
-# See http://www.w3.org/CGI/ for more information on the CGI protocol.
+# See https://www.w3.org/CGI/ for more information on the CGI protocol.
 #
 # == Introduction
 #
@@ -300,7 +300,7 @@
 
 class CGI
   # The version string
-  VERSION = "0.5.1"
+  VERSION = "0.5.2"
 end
 
 require 'cgi/util'

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: cgi
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.5.2
 platform: ruby
 authors:
 - Yukihiro Matsumoto
 bindir: bin
 cert_chain: []
-date: 2025-12-10 00:00:00.000000000 Z
+date: 2026-06-23 00:00:00.000000000 Z
 dependencies: []
 description: Support for the Common Gateway Interface protocol.
 email:
@@ -38,6 +38,7 @@ licenses:
 metadata:
   homepage_uri: https://github.com/ruby/cgi
   source_code_uri: https://github.com/ruby/cgi
+  changelog_uri: https://github.com/ruby/cgi/releases
 rdoc_options: []
 require_paths:
 - lib