Squashed commit of the following:

commit 9ef905f1
Author: Rafael Mendonça França <rafaelmfranca@gmail.com>
Date:   Tue Aug 7 22:38:40 2012 -0300

    Fix tests about single quote escaping

commit 780a7187
Author: Santiago Pastorino <santiago@wyeworks.com>
Date:   Tue Jul 31 22:25:54 2012 -0300

    html_escape should escape single quotes

    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
    Closes #7215

    Conflicts:
    	actionpack/test/controller/new_base/render_template_test.rb
    	actionpack/test/template/asset_tag_helper_test.rb
    	actionpack/test/template/erb_util_test.rb
    	actionpack/test/template/javascript_helper_test.rb
    	actionpack/test/template/template_test.rb
    	activesupport/lib/active_support/core_ext/string/output_safety.rb
    	activesupport/test/core_ext/string_ext_test.rb
    	railties/test/application/assets_test.rb

activesupport/lib/active_support/core_ext/string/output_safety.rb

@@ -2,13 +2,13 @@
 
 class ERB
   module Util
-    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;' }
+    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
     JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
 
     # A utility method for escaping HTML tag characters.
     # This method is also aliased as <tt>h</tt>.
     #
-    # In your ERb templates, use this method to escape any unsafe content. For example:
+    # In your ERB templates, use this method to escape any unsafe content. For example:
     #   <%=h @person.name %>
     #
     # ==== Example:
@@ -19,7 +19,7 @@ def html_escape(s)
       if s.html_safe?
         s
       else
-        s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
+        s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
       end
     end