escape_utils 0.1.9 → 0.2.0

data/.gitignore

@@ -3,4 +3,6 @@ Makefile
 *.bundle
 pkg/*
 doc/*
-*.rbc
+*.rbc
+tmp/
+Gemfile.lock

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--colour

data/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## 0.2.0 (February 8th, 2011)
+* fixed a couple of compilation warnings on 1.9.3
+* moved to rspec2
+* remove hard-conversion to utf-8 to preserve the string's original encoding
+* moved to rake-compiler, Bundler
+* pass through incompletely escaped data on unescaping
+* added tilde to escape_{uri,url}specs (It's a difference between CGI.escape and URI.escape)
+* escape_uri and escape_url now match their Ruby counterparts
+** escape_uri is used where URI.escape is, and escape_url is used where CGI.escape is used.
+* performance and memory usage optimizations
+
 ## 0.1.9 (October 15th, 2010)
 * add a flag as an optional 2nd parameter to EscapeUtils.escape_html to disable/enable the escaping of the '/' character. Defaults to the new flag EscapeUtils.html_secure
 

data/Gemfile

@@ -0,0 +1,3 @@
+source :rubygems
+
+gemspec

data/README.rdoc

@@ -2,11 +2,9 @@
 
 Being as though we're all html escaping everything these days, why not make it faster?
 
-At the moment escape_utils supports escaping and unescaping of HTML, and Javascript but I wanna add URL encoding soon.
-
 For character encoding in 1.9, we'll return strings in whatever Encoding.default_internal is set to or utf-8 otherwise.
 
-It has monkey-patches for Rack::Utils, CGI, ERB::Util and Haml and ActionView so you can drop this in and have your app start escaping fast as balls in no time
+It has monkey-patches for Rack::Utils, CGI, URI, ERB::Util and Haml and ActionView so you can drop this in and have your app start escaping fast as balls in no time
 
 It supports HTML, URL, URI and Javascript escaping/unescaping.
 
@@ -38,16 +36,20 @@ It supports HTML, URL, URI and Javascript escaping/unescaping.
 
 === URL
 
+Use (un)escape_uri to get RFC-compliant escaping (like PHP rawurlencode).
+
+Use (un)escape_url to get CGI escaping (where space is +).
+
 ==== Escaping
 
   url = "https://www.yourmom.com/cgi-bin/session.cgi?sess_args=mcEA~!!#*YH*>@!U"
-  escaped_url = EscapeUtils.url_escape(url)
+  escaped_url = EscapeUtils.escape_url(url)
 
 ==== Unescaping
 
   url = "https://www.yourmom.com/cgi-bin/session.cgi?sess_args=mcEA~!!#*YH*>@!U"
-  escaped_url = EscapeUtils.url_escape(url)
-  EscapeUtils.url_unescape(escaped_url) == url # => true
+  escaped_url = EscapeUtils.escape_url(url)
+  EscapeUtils.unescape_url(escaped_url) == url # => true
 
 === Javascript
 
@@ -141,4 +143,4 @@ I didn't look that hard, but I'm not aware of another ruby library that does Jav
  fast_xs_extra#fast_uxs_cgi
   0.010000   0.000000   0.010000 (  0.006062)
  EscapeUtils.unescape_url
-  0.000000   0.000000   0.000000 (  0.005679)
+  0.000000   0.000000   0.000000 (  0.005679)

data/Rakefile

@@ -1,35 +1,32 @@
-# encoding: UTF-8
+# rspec
 begin
-  require 'jeweler'
-  Jeweler::Tasks.new do |gem|
-    gem.name = "escape_utils"
-    gem.summary = "Faster string escaping routines for your web apps"
-    gem.email = "seniorlopez@gmail.com"
-    gem.homepage = "http://github.com/brianmario/escape_utils"
-    gem.authors = ["Brian Lopez"]
-    gem.require_paths = ["lib", "ext"]
-    gem.extra_rdoc_files = `git ls-files *.rdoc`.split("\n")
-    gem.files = `git ls-files`.split("\n")
-    gem.extensions = ["ext/extconf.rb"]
-    gem.files.include %w(lib/jeweler/templates/.document lib/jeweler/templates/.gitignore)
-    # gem.rubyforge_project = "mysql2"
+  require 'rspec'
+  require 'rspec/core/rake_task'
+
+  desc "Run all examples with RCov"
+  RSpec::Core::RakeTask.new('spec:rcov') do |t|
+    t.rcov = true
+  end
+  RSpec::Core::RakeTask.new('spec') do |t|
+    t.verbose = true
   end
+
+  task :default => :spec
 rescue LoadError
-  puts "Jeweler, or one of its dependencies, is not available. Install it with: sudo gem install jeweler -s http://gems.github.com"
+  puts "rspec, or one of its dependencies, is not available. Install it with: sudo gem install rspec"
 end
 
-require 'rake'
-require 'spec/rake/spectask'
+# rake-compiler
+require 'rake' unless defined? Rake
 
-desc "Run all examples with RCov"
-Spec::Rake::SpecTask.new('spec:rcov') do |t|
-  t.spec_files = FileList['spec/']
-  t.rcov = true
-  t.rcov_opts = lambda do
-    IO.readlines("spec/rcov.opts").map {|l| l.chomp.split " "}.flatten
-  end
+gem 'rake-compiler', '>= 0.7.5'
+require "rake/extensiontask"
+
+Rake::ExtensionTask.new('escape_utils') do |ext|
+  ext.cross_compile = true
+  ext.cross_platform = ['x86-mingw32', 'x86-mswin32-60']
+
+  ext.lib_dir = File.join 'lib', 'escape_utils'
 end
-Spec::Rake::SpecTask.new('spec') do |t|
-  t.spec_files = FileList['spec/']
-  t.spec_opts << '--options' << 'spec/spec.opts'
-end
+
+Rake::Task[:spec].prerequisites << :compile

data/benchmark/html_escape.rb

@@ -10,7 +10,6 @@ require 'erb'
 require 'cgi'
 require 'haml'
 require 'fast_xs_extra'
-require 'faster_html_escape'
 require 'escape_utils'
 
 module HamlBench
@@ -51,13 +50,6 @@ Benchmark.bmbm do |x|
     end
   end
 
-  x.report do
-    puts "FasterHTMLEscape.html_escape"
-    times.times do
-      FasterHTMLEscape.html_escape(html)
-    end
-  end
-
   x.report do
     puts "fast_xs_extra#fast_xs_html"
     times.times do

data/escape_utils.gemspec

@@ -1,90 +1,31 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
-# -*- encoding: utf-8 -*-
+require './lib/escape_utils/version' unless defined? EscapeUtils::VERSION
 
 Gem::Specification.new do |s|
   s.name = %q{escape_utils}
-  s.version = "0.1.9"
-
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.version = EscapeUtils::VERSION
   s.authors = ["Brian Lopez"]
-  s.date = %q{2010-10-15}
+  s.date = Time.now.utc.strftime("%Y-%m-%d")
   s.email = %q{seniorlopez@gmail.com}
-  s.extensions = ["ext/extconf.rb"]
+  s.extensions = ["ext/escape_utils/extconf.rb"]
   s.extra_rdoc_files = [
     "README.rdoc"
   ]
-  s.files = [
-    ".gitignore",
-     "CHANGELOG.md",
-     "MIT-LICENSE",
-     "README.rdoc",
-     "Rakefile",
-     "VERSION",
-     "benchmark/html_escape.rb",
-     "benchmark/html_unescape.rb",
-     "benchmark/javascript_escape.rb",
-     "benchmark/javascript_unescape.rb",
-     "benchmark/url_escape.rb",
-     "benchmark/url_unescape.rb",
-     "escape_utils.gemspec",
-     "ext/escape_utils.c",
-     "ext/extconf.rb",
-     "lib/escape_utils.rb",
-     "lib/escape_utils/html/cgi.rb",
-     "lib/escape_utils/html/erb.rb",
-     "lib/escape_utils/html/haml.rb",
-     "lib/escape_utils/html/rack.rb",
-     "lib/escape_utils/html_safety.rb",
-     "lib/escape_utils/javascript/action_view.rb",
-     "lib/escape_utils/url/cgi.rb",
-     "lib/escape_utils/url/erb.rb",
-     "lib/escape_utils/url/rack.rb",
-     "lib/escape_utils/url/uri.rb",
-     "spec/html/escape_spec.rb",
-     "spec/html/unescape_spec.rb",
-     "spec/html_safety_spec.rb",
-     "spec/javascript/escape_spec.rb",
-     "spec/javascript/unescape_spec.rb",
-     "spec/query/escape_spec.rb",
-     "spec/query/unescape_spec.rb",
-     "spec/rcov.opts",
-     "spec/spec.opts",
-     "spec/spec_helper.rb",
-     "spec/uri/escape_spec.rb",
-     "spec/uri/unescape_spec.rb",
-     "spec/url/escape_spec.rb",
-     "spec/url/unescape_spec.rb"
-  ]
+  s.files = `git ls-files`.split("\n")
   s.homepage = %q{http://github.com/brianmario/escape_utils}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib", "ext"]
-  s.rubygems_version = %q{1.3.7}
+  s.rubygems_version = %q{1.4.2}
   s.summary = %q{Faster string escaping routines for your web apps}
-  s.test_files = [
-    "spec/html/escape_spec.rb",
-     "spec/html/unescape_spec.rb",
-     "spec/html_safety_spec.rb",
-     "spec/javascript/escape_spec.rb",
-     "spec/javascript/unescape_spec.rb",
-     "spec/query/escape_spec.rb",
-     "spec/query/unescape_spec.rb",
-     "spec/spec_helper.rb",
-     "spec/uri/escape_spec.rb",
-     "spec/uri/unescape_spec.rb",
-     "spec/url/escape_spec.rb",
-     "spec/url/unescape_spec.rb"
-  ]
-
-  if s.respond_to? :specification_version then
-    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
-    s.specification_version = 3
+  s.test_files = `git ls-files spec`.split("\n")
 
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-    else
-    end
-  else
-  end
+  # tests
+  s.add_development_dependency 'rake-compiler', ">= 0.7.5"
+  s.add_development_dependency 'rspec', ">= 2.0.0"
+  # benchmarks
+  s.add_development_dependency 'rack'
+  s.add_development_dependency 'haml'
+  s.add_development_dependency 'fast_xs'
+  s.add_development_dependency 'actionpack'
+  s.add_development_dependency 'url_escape'
 end
 

data/ext/{escape_utils.c → escape_utils/escape_utils.c}

@@ -1,19 +1,27 @@
+#if RB_CVAR_SET_ARITY == 4
+#  define rb_cvar_set(a,b,c) rb_cvar_set(a,b,c,0)
+#endif
 #include <ruby.h>
 #ifdef HAVE_RUBY_ENCODING_H
 #include <ruby/encoding.h>
-static rb_encoding *utf8Encoding;
 #endif
 
 static VALUE mEscapeUtils;
 static ID rb_html_secure;
+static int html_secure = 1;
 
-#define IS_HEX(c) (c >= 48 || c <= 57) && (c >= 65 || c <= 70) && (c >= 97 || c <= 102)
-#define NOT_HEX(c) (c < 48 || c > 57) && (c < 65 || c > 90) && (c < 97 || c > 122)
+#define IS_HEX(c) ((c >= '0' && c <= '9') || (c >= 'A' && c <= 'F') || (c >= 'a' && c <= 'f'))
 #define UNHEX(c) (c >= '0' && c <= '9' ? c - '0' : c >= 'A' && c <= 'F' ? c - 'A' + 10 : c - 'a' + 10)
-#define URI_SAFE(c) (c >= '0' && c <= '9') || (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || c== 45 || c == 46 || c == 95 || c == 126
-//                  ALPHA / DIGIT / "-" / "." / "_" / "~"
 
-static size_t escape_html(unsigned char *out, const unsigned char *in, size_t in_len, unsigned short int secure) {
+#define ALPHANUM(c) ((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9'))
+#define URL_SAFE(c) (ALPHANUM(c) || c == '-' || c == '_' || c == '.')
+
+/* from uri/common.rb */
+#define UNRESERVED(c) (ALPHANUM(c) || c == '-' || c == '_' || c == '.' || c == '!' || c == '~' || c == '*' || c == '\'' || c == '(' || c == ')')
+#define RESERVED(c) (c == ';' || c == '/' || c == '?' || c == ':' || c == '@' || c== '&' || c == '=' || c == '+' || c == '$' || c == ',' || c == '[' || c == ']')
+#define URI_SAFE(c) (URL_SAFE(c) || UNRESERVED(c) || RESERVED(c))
+
+static size_t escape_html(unsigned char *out, const unsigned char *in, size_t in_len, int secure) {
   size_t total = 0;
   unsigned char curChar;
 
@@ -57,36 +65,39 @@ static size_t unescape_html(unsigned char *out, const unsigned char *in, size_t
   while (len) {
     curChar = *in++;
     if (curChar == '&') {
-      if ((in-start)+2 <= in_len && *in == 'l' && *(in+1) == 't' && *(in+2) == ';') {
+      if (*in == 'l' && *(in+1) == 't' && *(in+2) == ';') {
         *out++ = '<';
         total-=3;
         in+=3;
         len-=3;
-      } else if ((in-start)+2 <= in_len && *in == 'g' && *(in+1) == 't' && *(in+2) == ';') {
+      } else if (*in == 'g' && *(in+1) == 't' && *(in+2) == ';') {
         *out++ = '>';
         total-=3;
         in+=3;
         len-=3;
-      } else if ((in-start)+3 <= in_len && *in == 'a' && *(in+1) == 'm' && *(in+2) == 'p' && *(in+3) == ';') {
+      } else if (*in == 'a' && *(in+1) == 'm' && *(in+2) == 'p' && *(in+3) == ';') {
         *out++ = '&';
         total-=4;
         in+=4;
         len-=4;
-      } else if ((in-start)+3 <= in_len && *in == '#' && *(in+1) == '3' && *(in+2) == '9' && *(in+3) == ';') {
+      } else if (*in == '#' && *(in+1) == '3' && *(in+2) == '9' && *(in+3) == ';') {
         *out++ = '\'';
         total-=4;
         in+=4;
         len-=4;
-      } else if ((in-start)+3 <= in_len && *in == '#' && *(in+1) == '4' && *(in+2) == '7' && *(in+3) == ';') {
+      } else if (*in == '#' && *(in+1) == '4' && *(in+2) == '7' && *(in+3) == ';') {
         *out++ = '/';
         total-=4;
         in+=4;
         len-=4;
-      } else if ((in-start)+4 <= in_len && *in == 'q' && *(in+1) == 'u' && *(in+2) == 'o' && *(in+3) == 't' && *(in+4) == ';') {
+      } else if (*in == 'q' && *(in+1) == 'u' && *(in+2) == 'o' && *(in+3) == 't' && *(in+4) == ';') {
         *out++ = '\"';
         total-=5;
         in+=5;
         len-=5;
+      } else {
+        /* incomplete tag, pass it through */
+        *out++ = curChar;
       }
     } else {
       *out++ = curChar;
@@ -172,7 +183,9 @@ static size_t unescape_javascript(unsigned char *out, const unsigned char *in, s
         *out++ = '/';
         total--;
       } else {
+        /* incomplete escape, pass it through */
         *out++ = curChar;
+        continue;
       }
       in++; in_len--;
     } else {
@@ -194,13 +207,13 @@ static size_t escape_url(unsigned char *out, const unsigned char *in, size_t in_
     curChar = *in++;
     if (curChar == ' ') {
       *out++ = '+';
-    } else if ((curChar != '_' && curChar != '.' && curChar != '-') && NOT_HEX(curChar)) {
+    } else if (URL_SAFE(curChar)) {
+      *out++ = curChar;
+    } else {
       hex[1] = hexChars[curChar & 0x0f];
       hex[0] = hexChars[(curChar >> 4) & 0x0f];
       *out++ = '%'; *out++ = hex[0]; *out++ = hex[1];
       total += 2;
-    } else {
-      *out++ = curChar;
     }
     in_len--;
   }
@@ -217,10 +230,13 @@ static size_t unescape_url(unsigned char *out, const unsigned char *in, size_t i
   while (len) {
     curChar = *in++;
     if (curChar == '%') {
-      if ((in-start)+2 <= in_len && IS_HEX(*in) && IS_HEX(*(in+1))) {
+      if (IS_HEX(*in) && IS_HEX(*(in+1))) {
         *out++ = (UNHEX(*in) << 4) + UNHEX(*(in+1));
         in+=2;
         total-=2;
+      } else {
+        /* incomplete escape, pass it through */
+        *out++ = curChar;
       }
     } else if (curChar == '+') {
       *out++ = ' ';
@@ -264,10 +280,13 @@ static size_t unescape_uri(unsigned char *out, const unsigned char *in, size_t i
   while (len) {
     curChar = *in++;
     if (curChar == '%') {
-      if ((in-start)+2 <= in_len && IS_HEX(*in) && IS_HEX(*(in+1))) {
+      if (IS_HEX(*in) && IS_HEX(*(in+1))) {
         *out++ = (UNHEX(*in) << 4) + UNHEX(*(in+1));
         in+=2;
         total-=2;
+      } else {
+        /* incomplete escape, pass it through */
+        *out++ = curChar;
       }
     } else {
       *out++ = curChar;
@@ -279,11 +298,15 @@ static size_t unescape_uri(unsigned char *out, const unsigned char *in, size_t i
 }
 
 static VALUE rb_escape_html(int argc, VALUE * argv, VALUE self) {
-  VALUE str, rb_secure = rb_funcall(mEscapeUtils, rb_html_secure, 0);
-  unsigned short secure = 1;
-  if (rb_secure == Qfalse) {
-    secure = 0;
-  }
+  VALUE str, rb_secure;
+  int secure = html_secure;
+  VALUE rb_output_buf;
+#ifdef HAVE_RUBY_ENCODING_H
+  rb_encoding *default_internal_enc;
+  rb_encoding *original_encoding;
+#endif
+  unsigned char *inBuf, *outBuf;
+  size_t len, new_len;
 
   if (rb_scan_args(argc, argv, "11", &str, &rb_secure) == 2) {
     if (rb_secure == Qfalse) {
@@ -293,181 +316,202 @@ static VALUE rb_escape_html(int argc, VALUE * argv, VALUE self) {
 
   Check_Type(str, T_STRING);
 
-  VALUE rb_output_buf;
 #ifdef HAVE_RUBY_ENCODING_H
-  rb_encoding *default_internal_enc = rb_default_internal_encoding();
-  rb_encoding *original_encoding = rb_enc_get(str);
+  default_internal_enc = rb_default_internal_encoding();
+  original_encoding = rb_enc_get(str);
 #endif
-  unsigned char *inBuf = (unsigned char*)RSTRING_PTR(str);
-  size_t len = RSTRING_LEN(str), new_len = 0;
+  inBuf = (unsigned char*)RSTRING_PTR(str);
+  len = RSTRING_LEN(str);
 
   // this is the max size the string could be
   // TODO: we should try to be more intelligent about this
-  unsigned char *outBuf = (unsigned char *)malloc(sizeof(unsigned char *)*(len*5));
+  new_len = sizeof(unsigned char)*(len*5);
+
+  // create our new ruby string
+  rb_output_buf = rb_str_new(NULL, new_len);
+  outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
 
   // perform our escape, returning the new string's length
   new_len = escape_html(outBuf, inBuf, len, secure);
 
-  // create our new ruby string
-  rb_output_buf = rb_str_new((char *)outBuf, new_len);
-
-  // free the temporary C string
-  free(outBuf);
+  // shrink our new ruby string
+  rb_str_resize(rb_output_buf, new_len);
 
 #ifdef HAVE_RUBY_ENCODING_H
   rb_enc_associate(rb_output_buf, original_encoding);
   if (default_internal_enc) {
     rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
-  } else {
-    rb_output_buf = rb_str_export_to_enc(rb_output_buf, utf8Encoding);
   }
 #endif
   return rb_output_buf;
 }
 
 static VALUE rb_unescape_html(VALUE self, VALUE str) {
-  Check_Type(str, T_STRING);
-
   VALUE rb_output_buf;
 #ifdef HAVE_RUBY_ENCODING_H
-  rb_encoding *default_internal_enc = rb_default_internal_encoding();
-  rb_encoding *original_encoding = rb_enc_get(str);
+  rb_encoding *default_internal_enc;
+  rb_encoding *original_encoding;
 #endif
-  unsigned char *inBuf = (unsigned char*)RSTRING_PTR(str);
-  size_t len = RSTRING_LEN(str), new_len = 0;
+  unsigned char *inBuf, *outBuf;
+  size_t len, new_len;
+
+  Check_Type(str, T_STRING);
+#ifdef HAVE_RUBY_ENCODING_H
+  default_internal_enc = rb_default_internal_encoding();
+  original_encoding = rb_enc_get(str);
+#endif
+  inBuf = (unsigned char*)RSTRING_PTR(str);
+  len = RSTRING_LEN(str);
 
   // this is the max size the string could be
-  // TODO: we should try to be more intelligent about this
-  unsigned char *outBuf = (unsigned char *)malloc(sizeof(unsigned char *)*len);
+  // TODO: we could be more intelligent about this, but probably not
+  new_len = sizeof(unsigned char) * len;
+
+  // create our new ruby string
+  rb_output_buf = rb_str_new(NULL, new_len);
+  outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
 
   // perform our escape, returning the new string's length
   new_len = unescape_html(outBuf, inBuf, len);
 
-  // create our new ruby string
-  rb_output_buf = rb_str_new((char *)outBuf, new_len);
-
-  // free the temporary C string
-  free(outBuf);
+  // shrink our new ruby string
+  rb_str_resize(rb_output_buf, new_len);
 
 #ifdef HAVE_RUBY_ENCODING_H
   rb_enc_associate(rb_output_buf, original_encoding);
   if (default_internal_enc) {
     rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
-  } else {
-    rb_output_buf = rb_str_export_to_enc(rb_output_buf, utf8Encoding);
   }
 #endif
   return rb_output_buf;
 }
 
 static VALUE rb_escape_javascript(VALUE self, VALUE str) {
+  VALUE rb_output_buf;
+#ifdef HAVE_RUBY_ENCODING_H
+  rb_encoding *default_internal_enc;
+  rb_encoding *original_encoding;
+#endif
+  unsigned char *inBuf, *outBuf;
+  size_t len, new_len;
+
   if (str == Qnil) {
     return rb_str_new2("");
   }
 
   Check_Type(str, T_STRING);
 
-  VALUE rb_output_buf;
 #ifdef HAVE_RUBY_ENCODING_H
-  rb_encoding *default_internal_enc = rb_default_internal_encoding();
-  rb_encoding *original_encoding = rb_enc_get(str);
+  default_internal_enc = rb_default_internal_encoding();
+  original_encoding = rb_enc_get(str);
 #endif
-  unsigned char *inBuf = (unsigned char*)RSTRING_PTR(str);
-  size_t len = RSTRING_LEN(str), new_len = 0;
+  inBuf = (unsigned char*)RSTRING_PTR(str);
+  len = RSTRING_LEN(str);
 
   // this is the max size the string could be
   // TODO: we should try to be more intelligent about this
-  unsigned char *outBuf = (unsigned char *)malloc(sizeof(unsigned char *)*(len*2));
+  new_len = sizeof(unsigned char)*(len*2);
+
+  // create our new ruby string
+  rb_output_buf = rb_str_new(NULL, new_len);
+  outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
 
   // perform our escape, returning the new string's length
   new_len = escape_javascript(outBuf, inBuf, len);
 
-  // create our new ruby string
-  rb_output_buf = rb_str_new((char *)outBuf, new_len);
-
-  // free the temporary C string
-  free(outBuf);
+  // shrink our new ruby string
+  rb_str_resize(rb_output_buf, new_len);
 
 #ifdef HAVE_RUBY_ENCODING_H
   rb_enc_associate(rb_output_buf, original_encoding);
   if (default_internal_enc) {
     rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
-  } else {
-    rb_output_buf = rb_str_export_to_enc(rb_output_buf, utf8Encoding);
   }
 #endif
   return rb_output_buf;
 }
 
 static VALUE rb_unescape_javascript(VALUE self, VALUE str) {
+  VALUE rb_output_buf;
+#ifdef HAVE_RUBY_ENCODING_H
+  rb_encoding *default_internal_enc;
+  rb_encoding *original_encoding;
+#endif
+  unsigned char *inBuf, *outBuf;
+  size_t len, new_len;
+
   if (str == Qnil) {
     return rb_str_new2("");
   }
 
   Check_Type(str, T_STRING);
 
-  VALUE rb_output_buf;
 #ifdef HAVE_RUBY_ENCODING_H
-  rb_encoding *default_internal_enc = rb_default_internal_encoding();
-  rb_encoding *original_encoding = rb_enc_get(str);
+  default_internal_enc = rb_default_internal_encoding();
+  original_encoding = rb_enc_get(str);
 #endif
-  unsigned char *inBuf = (unsigned char*)RSTRING_PTR(str);
-  size_t len = RSTRING_LEN(str), new_len = 0;
+  inBuf = (unsigned char*)RSTRING_PTR(str);
+  len = RSTRING_LEN(str);
 
   // this is the max size the string could be
-  // TODO: we should try to be more intelligent about this
-  unsigned char *outBuf = (unsigned char *)malloc(sizeof(unsigned char *)*len);
+  // TODO: we could be more intelligent about this, but probably not
+  new_len = sizeof(unsigned char) * len;
+
+  // create our new ruby string
+  rb_output_buf = rb_str_new(NULL, new_len);
+  outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
 
   // perform our escape, returning the new string's length
   new_len = unescape_javascript(outBuf, inBuf, len);
 
-  // create our new ruby string
-  rb_output_buf = rb_str_new((char *)outBuf, new_len);
-
-  // free the temporary C string
-  free(outBuf);
+  // shrink our new ruby string
+  rb_str_resize(rb_output_buf, new_len);
 
 #ifdef HAVE_RUBY_ENCODING_H
   rb_enc_associate(rb_output_buf, original_encoding);
   if (default_internal_enc) {
     rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
-  } else {
-    rb_output_buf = rb_str_export_to_enc(rb_output_buf, utf8Encoding);
   }
 #endif
   return rb_output_buf;
 }
 
 static VALUE rb_escape_url(VALUE self, VALUE str) {
+  VALUE rb_output_buf;
+  #ifdef HAVE_RUBY_ENCODING_H
+    rb_encoding *default_internal_enc;
+    rb_encoding *original_encoding;
+  #endif
+  unsigned char *inBuf, *outBuf;
+  size_t len, new_len;
+
   Check_Type(str, T_STRING);
 
-  VALUE rb_output_buf;
 #ifdef HAVE_RUBY_ENCODING_H
-  rb_encoding *default_internal_enc = rb_default_internal_encoding();
-  rb_encoding *original_encoding = rb_enc_get(str);
+  default_internal_enc = rb_default_internal_encoding();
+  original_encoding = rb_enc_get(str);
 #endif
-  unsigned char *inBuf = (unsigned char*)RSTRING_PTR(str);
-  size_t len = RSTRING_LEN(str), new_len = 0;
+  inBuf = (unsigned char*)RSTRING_PTR(str);
+  len = RSTRING_LEN(str);
 
   // this is the max size the string could be
   // TODO: we should try to be more intelligent about this
-  unsigned char *outBuf = (unsigned char *)malloc(sizeof(unsigned char *)*(len*3));
+  new_len = sizeof(unsigned char)*(len*3);
+
+  // create our new ruby string
+  rb_output_buf = rb_str_new(NULL, new_len);
+  outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
 
   // perform our escape, returning the new string's length
   new_len = escape_url(outBuf, inBuf, len);
 
-  // create our new ruby string
-  rb_output_buf = rb_str_new((char *)outBuf, new_len);
-
-  // free the temporary C string
-  free(outBuf);
+  // shrink our new ruby string
+  rb_str_resize(rb_output_buf, new_len);
 
 #ifdef HAVE_RUBY_ENCODING_H
   rb_enc_associate(rb_output_buf, original_encoding);
   if (default_internal_enc) {
     rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
-  } else {
-    rb_output_buf = rb_str_export_to_enc(rb_output_buf, utf8Encoding);
   }
 #endif
   return rb_output_buf;
@@ -482,27 +526,27 @@ static VALUE rb_unescape_url(VALUE self, VALUE str) {
   rb_encoding *original_encoding = rb_enc_get(str);
 #endif
   unsigned char *inBuf = (unsigned char*)RSTRING_PTR(str);
-  size_t len = RSTRING_LEN(str), new_len = 0;
+  size_t len = RSTRING_LEN(str);
 
   // this is the max size the string could be
-  // TODO: we should try to be more intelligent about this
-  unsigned char *outBuf = (unsigned char *)malloc(sizeof(unsigned char *)*len);
+  // TODO: we could be more intelligent about this, but probably not
+  size_t new_len = sizeof(unsigned char) * len;
+  unsigned char *outBuf;
+
+  // create our new ruby string
+  rb_output_buf = rb_str_new(NULL, new_len);
 
   // perform our escape, returning the new string's length
+  outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
   new_len = unescape_url(outBuf, inBuf, len);
 
-  // create our new ruby string
-  rb_output_buf = rb_str_new((char *)outBuf, new_len);
-
-  // free the temporary C string
-  free(outBuf);
+  // shrink our new ruby string
+  rb_str_resize(rb_output_buf, new_len);
 
 #ifdef HAVE_RUBY_ENCODING_H
   rb_enc_associate(rb_output_buf, original_encoding);
   if (default_internal_enc) {
     rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
-  } else {
-    rb_output_buf = rb_str_export_to_enc(rb_output_buf, utf8Encoding);
   }
 #endif
   return rb_output_buf;
@@ -517,27 +561,27 @@ static VALUE rb_escape_uri(VALUE self, VALUE str) {
   rb_encoding *original_encoding = rb_enc_get(str);
 #endif
   unsigned char *inBuf = (unsigned char*)RSTRING_PTR(str);
-  size_t len = RSTRING_LEN(str), new_len = 0;
+  size_t len = RSTRING_LEN(str);
+  unsigned char *outBuf;
 
   // this is the max size the string could be
   // TODO: we should try to be more intelligent about this
-  unsigned char *outBuf = (unsigned char *)malloc(sizeof(unsigned char *)*(len*3));
+  size_t new_len = sizeof(unsigned char)*(len*3);
+
+  // create our new ruby string
+  rb_output_buf = rb_str_new(NULL, new_len);
+  outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
 
   // perform our escape, returning the new string's length
   new_len = escape_uri(outBuf, inBuf, len);
 
-  // create our new ruby string
-  rb_output_buf = rb_str_new((char *)outBuf, new_len);
-
-  // free the temporary C string
-  free(outBuf);
+  // shrink our new ruby string
+  rb_str_resize(rb_output_buf, new_len);
 
 #ifdef HAVE_RUBY_ENCODING_H
   rb_enc_associate(rb_output_buf, original_encoding);
   if (default_internal_enc) {
     rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
-  } else {
-    rb_output_buf = rb_str_export_to_enc(rb_output_buf, utf8Encoding);
   }
 #endif
   return rb_output_buf;
@@ -552,34 +596,47 @@ static VALUE rb_unescape_uri(VALUE self, VALUE str) {
   rb_encoding *original_encoding = rb_enc_get(str);
 #endif
   unsigned char *inBuf = (unsigned char*)RSTRING_PTR(str);
-  size_t len = RSTRING_LEN(str), new_len = 0;
+  size_t len = RSTRING_LEN(str);
+  unsigned char *outBuf;
 
   // this is the max size the string could be
   // TODO: we should try to be more intelligent about this
-  unsigned char *outBuf = (unsigned char *)malloc(sizeof(unsigned char *)*len);
+  size_t new_len = sizeof(unsigned char)*len;
+
+  // create our new ruby string
+  rb_output_buf = rb_str_new(NULL, new_len);
+  outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
 
   // perform our escape, returning the new string's length
   new_len = unescape_uri(outBuf, inBuf, len);
 
-  // create our new ruby string
-  rb_output_buf = rb_str_new((char *)outBuf, new_len);
-
-  // free the temporary C string
-  free(outBuf);
+  // shrink our new ruby string
+  rb_str_resize(rb_output_buf, new_len);
 
 #ifdef HAVE_RUBY_ENCODING_H
   rb_enc_associate(rb_output_buf, original_encoding);
   if (default_internal_enc) {
     rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
-  } else {
-    rb_output_buf = rb_str_export_to_enc(rb_output_buf, utf8Encoding);
   }
 #endif
   return rb_output_buf;
 }
 
+static VALUE rb_s_get_html_secure(VALUE self)
+{
+  return rb_cvar_get(self, rb_html_secure);
+}
+
+static VALUE rb_s_set_html_secure(VALUE self, VALUE val)
+{
+  html_secure = RTEST(val);
+  rb_cvar_set(self, rb_html_secure, val);
+
+  return val;
+}
+
 /* Ruby Extension initializer */
-void Init_escape_utils_ext() {
+void Init_escape_utils() {
   mEscapeUtils = rb_define_module("EscapeUtils");
   rb_define_method(mEscapeUtils,           "escape_html",          rb_escape_html,   -1);
   rb_define_module_function(mEscapeUtils,  "escape_html",          rb_escape_html,   -1);
@@ -598,10 +655,9 @@ void Init_escape_utils_ext() {
   rb_define_method(mEscapeUtils,           "unescape_uri",         rb_unescape_uri, 1);
   rb_define_module_function(mEscapeUtils,  "unescape_uri",         rb_unescape_uri, 1);
 
-#ifdef HAVE_RUBY_ENCODING_H
-  utf8Encoding = rb_utf8_encoding();
-#endif
+  rb_define_singleton_method(mEscapeUtils, "html_secure",          rb_s_get_html_secure, 0);
+  rb_define_singleton_method(mEscapeUtils, "html_secure=",         rb_s_set_html_secure, 1);
 
-  rb_html_secure = rb_intern("html_secure");
+  rb_html_secure = rb_intern("@@html_secure");
 }