doesn't contain `#`

Commit 20fece14 introduced the `_status_code` method to fix calls to
`head :ok`. This method has been added on both ActionController::Metal
and ActionDispatch::Response.

As for the latter, this method is just equivalent to the `response_code`
one so commit aefec3c6 removed it from the `Reponse` object so call to
the `_status_code` method on an ActionController::Base instance would be
handled by the `Metal` class (which `Base` inherits from) but the status
code is not updated according to the response at this level.

The fix is to actually rely on `response_code` for ActionController::Base
instances but this method doesn't exist for bare Metal controllers so we
need to define it.

- The single space response was added due to a bug in safari
  in https://github.com/rails/rails/commit/cb0f8fda9652c4d24d04693bdb82cecd3b067e5c
  and
  https://github.com/rails/rails/commit/807df4fcf021fc4d15972aa1c17ba7398d43ab0d.
- This was removed from the `render nothing: true` in
  https://github.com/rails/rails/pull/14883.
- Removing it from response of :head also. As :head is more obvious
  alternative to call `render nothing:
  true`(http://guides.rubyonrails.org/layouts_and_rendering.html#using-head-to-build-header-only-responses),
  removing it from head method also.
- Closes #18253.

There is no need to subtract one from the path_params size when there is
no format parameter because it is not present in the path_params array.

Fixes #17819.

See:
* https://github.com/rails/rails/pull/14903
* https://github.com/roidrage/lograge/issues/37

Some code by mxrguspxrt from #14903.

We will support only Ruby >= 2.1.

But right now we don't accept pull requests with syntax changes to drop
support to Ruby 1.9.

Fixes https://github.com/rails/rails/issues/16958

[Byron Bischoff & Melanie Gilman]

In cases where this option is set to `true`, the option is redundant and can
be safely removed; otherwise, the corresponding `*_url` helper should be
used instead.

Fixes #17294.

See also #17363.

[Dan Olson, Godfrey Chan]

The scanner in Journey fails to recognize routes that use literals
from the sub-delims section of RFC 3986.

This commit enhance the compatibility of Journey with the RFC by
adding support of authorized delimiters to the scanner.

Fix #17212

[ci skip]

Fixes #17057

IPAddr::InvalidAddressError does not exist in Ruby 1.9.3
and fails for JRuby in 1.9 mode.

As IPAddr::InvalidAddressError is a subclass of ArgumentError
(via IPAddr::Error) just rescuing ArgumentError is fine.

https://github.com/rails/rails/commit/402c2af55053c2f29319091ad21fd6fa6b90ee89
introduced a regression that caused any constraints added to redirect routes
to be ignored.

Fixes #16605

Refactored IP address checking in ActionDispatch::RemoteIp to rely on
the IPAddr class instead of the unwieldly regular expression to match
IP addresses. This commit keeps the same api but allows users to pass
IPAddr objects to config.action_dispatch.trusted_proxies in addition
to passing strings and regular expressions.

Example:

    # config/environments/production.rb
    config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')

Follow up to rails#15321

Instead of duplicating the routes, we will first match the HEAD request to
HEAD routes. If no match is found, we will then map the HEAD request to
GET routes.

If someone is using ActionDispatch::Static to serve assets and makes it past the `match?` then the file exists on disk and it will be served. This PR adds in logic that checks to see if the file being served is already compressed (via gzip) and on disk, if it is it will be served as long as the client can handle gzip encoding. If not, then a non gzip file will be served.

This additional logic slows down an individual asset request but should speed up the consumer experience as compressed files are served and production applications should be delivered with a CDN. This PR allows a CDN to cache a gzip file by setting the `Vary` header appropriately. In net this should speed up a production application that are using Rails as an origin for a CDN. Non-asset request speed is not affected in this PR.

`ActionController::Parameters#to_h` now returns a `Hash` with
unpermitted keys removed. This change is to reflect on a security
concern where some method performed on an `ActionController::Parameters`
may yield a `Hash` object which does not maintain `permitted?` status.
If you would like to get a `Hash` with all the keys intact, duplicate
and mark it as permitted before calling `#to_h`.

    params = ActionController::Parameters.new(name: 'Senjougahara Hitagi')
    params.to_h # => {}

    unsafe_params = params.dup.permit!
    unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"}

    safe_params = params.permit(:name)
    safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}

This change is consider a stopgap as we cannot chage the code to stop
`ActionController::Parameters` to inherit from
`HashWithIndifferentAccess` in the next minor release.

Also, adding a CHANGELOG entry to mention that
`ActionController::Parameters` will not inheriting from
`HashWithIndifferentAccess` in the next major version.

Use the Active Support JSON encoder for cookie jars using the `:json` or
`:hybrid` serializer. This allows you to serialize custom Ruby objects into
cookies by defining the `#as_json` hook on such objects.

Fixes #16520.

- Default to Rails::DeprecatedSanitizer in ActionView::Helpers::SanitizeHelper.
- Add upgrade notes.
- Add sanitizer to new applications Gemfiles.
- Remove 'rails-dom-testing' as a dependency.

respond_with (and consequently the class-level respond_to)
are being removed from Rails. Instead of moving it to a 3rd
library, the functionality will be moved to responders gem
(at github.com/plataformatec/responders) which already provides
some responders extensions.

New default: the template digest is automatically included in your ETags.
When you call `fresh_when @post`, the digest for `posts/show.html.erb`
is mixed in so future changes to the HTML will blow HTTP caches for you.
This makes it easy to HTTP-cache many more of your actions.

If you render a different template, you can now pass the `:template`
option to include its digest instead:

  fresh_when @post, template: 'widgets/show'

Pass `template: false` to skip the lookup. To turn this off entirely, set:

  config.action_controller.etag_with_template_digest = false

The error was moved outside of the `ClassMethods` module.

The test was not failing for `assert_template file: nil` when a file
has been rendered.

You can now configure custom digest for cookies in the same way as `serializer`:

  config.action_dispatch.cookies_digest = 'SHA256'

This reverts commit 70597762, reversing
changes made to dde91e9b.

IT BROKE THE BUILD!!!

You can now configure custom digest for cookies in the same way as `serializer`:

config.action_dispatch.cookies_digest = \SHA256'

Also cleanup test a bit

[related #14886]
[related #14743]