Merge pull request #7513 from kalys/master

ERB::Util.html_escape encodes single quote as #39. Decimal form has better support in old browsers.

actionpack/test/template/erb_util_test.rb

@@ -45,7 +45,7 @@ def test_rest_in_ascii
   end
 
   def test_html_escape_once
-    assert_equal '1 &lt;&gt;&amp;&quot;&#x27; 2 &amp; 3', html_escape_once('1 <>&"\' 2 &amp; 3')
+    assert_equal '1 &lt;&gt;&amp;&quot;&#39; 2 &amp; 3', html_escape_once('1 <>&"\' 2 &amp; 3')
   end
 
   def test_html_escape_once_returns_unsafe_strings_when_passed_unsafe_strings

actionpack/test/template/form_options_helper_test.rb

@@ -1124,7 +1124,7 @@ def test_time_zone_select_with_default_time_zone_and_value
 
   def test_options_for_select_with_element_attributes
     assert_dom_equal(
-      "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"alert(&#x27;Hello World&#x27;);\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
+      "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"alert(&#39;Hello World&#39;);\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
       options_for_select([ [ "<Denmark>", { :class => 'bold' } ], [ "USA", { :onclick => "alert('Hello World');" } ], [ "Sweden" ], "Germany" ])
     )
   end

actionpack/test/template/form_tag_helper_test.rb

@@ -391,7 +391,7 @@ def test_stringify_symbol_keys
 
   def test_submit_tag
     assert_dom_equal(
-      %(<input name='commit' data-disable-with="Saving..." onclick="alert(&#x27;hello!&#x27;)" type="submit" value="Save" />),
+      %(<input name='commit' data-disable-with="Saving..." onclick="alert(&#39;hello!&#39;)" type="submit" value="Save" />),
       submit_tag("Save", :onclick => "alert('hello!')", :data => { :disable_with => "Saving..." })
     )
   end

actionpack/test/template/javascript_helper_test.rb

@@ -44,14 +44,14 @@ def test_escape_javascript_with_safebuffer
 
   def test_button_to_function
     assert_deprecated "button_to_function is deprecated and will be removed from Rails 4.1. Use Unobtrusive JavaScript instead." do
-      assert_dom_equal %(<input type="button" onclick="alert(&#x27;Hello world!&#x27;);" value="Greeting" />),
+      assert_dom_equal %(<input type="button" onclick="alert(&#39;Hello world!&#39;);" value="Greeting" />),
         button_to_function("Greeting", "alert('Hello world!')")
     end
   end
 
   def test_button_to_function_with_onclick
     assert_deprecated "button_to_function is deprecated and will be removed from Rails 4.1. Use Unobtrusive JavaScript instead." do
-      assert_dom_equal "<input onclick=\"alert(&#x27;Goodbye World :(&#x27;); alert(&#x27;Hello world!&#x27;);\" type=\"button\" value=\"Greeting\" />",
+      assert_dom_equal "<input onclick=\"alert(&#39;Goodbye World :(&#39;); alert(&#39;Hello world!&#39;);\" type=\"button\" value=\"Greeting\" />",
         button_to_function("Greeting", "alert('Hello world!')", :onclick => "alert('Goodbye World :(')")
     end
   end
@@ -65,21 +65,21 @@ def test_button_to_function_without_function
 
   def test_link_to_function
     assert_deprecated "link_to_function is deprecated and will be removed from Rails 4.1. Use Unobtrusive JavaScript instead." do
-      assert_dom_equal %(<a href="#" onclick="alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
+      assert_dom_equal %(<a href="#" onclick="alert(&#39;Hello world!&#39;); return false;">Greeting</a>),
         link_to_function("Greeting", "alert('Hello world!')")
     end
   end
 
   def test_link_to_function_with_existing_onclick
     assert_deprecated "link_to_function is deprecated and will be removed from Rails 4.1. Use Unobtrusive JavaScript instead." do
-      assert_dom_equal %(<a href="#" onclick="confirm(&#x27;Sanity!&#x27;); alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
+      assert_dom_equal %(<a href="#" onclick="confirm(&#39;Sanity!&#39;); alert(&#39;Hello world!&#39;); return false;">Greeting</a>),
         link_to_function("Greeting", "alert('Hello world!')", :onclick => "confirm('Sanity!')")
     end
   end
 
   def test_function_with_href
     assert_deprecated "link_to_function is deprecated and will be removed from Rails 4.1. Use Unobtrusive JavaScript instead." do
-      assert_dom_equal %(<a href="http://example.com/" onclick="alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
+      assert_dom_equal %(<a href="http://example.com/" onclick="alert(&#39;Hello world!&#39;); return false;">Greeting</a>),
         link_to_function("Greeting", "alert('Hello world!')", :href => 'http://example.com/')
     end
   end

actionpack/test/template/text_helper_test.rb

@@ -149,7 +149,7 @@ def test_truncate_with_block_with_escape_false_should_be_html_safe
   end
 
   def test_truncate_with_block_should_escape_the_block
-    assert_equal "Here is a long test and ...<script>alert('foo');</script>",
+    assert_equal "Here is a long test and ...<script>alert('foo');</script>",
       truncate("Here is a long test and I need a continue to read link", :length => 27) { "<script>alert('foo');</script>" }
   end
 

actionpack/test/template/url_helper_test.rb

@@ -244,7 +244,7 @@ def test_link_with_nil_html_options
 
   def test_link_tag_with_custom_onclick
     link = link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')")
-    expected = %{<a href="http://www.example.com" onclick="alert(&#x27;yay!&#x27;)">Hello</a>}
+    expected = %{<a href="http://www.example.com" onclick="alert(&#39;yay!&#39;)">Hello</a>}
     assert_dom_equal expected, link
   end
 

activesupport/CHANGELOG.md

 ## Rails 4.0.0 (unreleased) ##
 
+*   `ERB::Util.html_escape` encodes single quote as `#39`. Decimal form has better support in old browsers. *Kalys Osmonov*
+
 *   `ActiveSupport::Callbacks`: deprecate monkey patch of object callbacks.
     Using the #filter method like this:
 

activesupport/lib/active_support/core_ext/string/output_safety.rb

@@ -3,7 +3,7 @@
 
 class ERB
   module Util
-    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
+    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#39;' }
     JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
     HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/
     JSON_ESCAPE_REGEXP = /[&"><]/

activesupport/test/core_ext/string_ext_test.rb

@@ -500,7 +500,7 @@ def to_s
 
   test "ERB::Util.html_escape should escape unsafe characters" do
     string = '<>&"\''
-    expected = '&lt;&gt;&amp;&quot;&#x27;'
+    expected = '&lt;&gt;&amp;&quot;&#39;'
     assert_equal expected, ERB::Util.html_escape(string)
   end
 

railties/test/application/assets_test.rb

@@ -241,7 +241,7 @@ def show_detailed_exceptions?() true end
 
       get '/posts'
       assert_match(/AssetNotPrecompiledError/, last_response.body)
-      assert_match(/app.js isn't precompiled/, last_response.body)
+      assert_match(/app.js isn't precompiled/, last_response.body)
     end
 
     test "assets raise AssetNotPrecompiledError when manifest file is present and requested file isn't precompiled if digest is disabled" do
@@ -265,7 +265,7 @@ class ::PostsController < ActionController::Base ; end
 
       get '/posts'
       assert_match(/AssetNotPrecompiledError/, last_response.body)
-      assert_match(/app.js isn&#x27;t precompiled/, last_response.body)
+      assert_match(/app.js isn&#39;t precompiled/, last_response.body)
     end
 
     test "precompile properly refers files referenced with asset_path and and run in the provided RAILS_ENV" do