For better or worse, anonymous `*` args will allocate arrays.  Ideally,
the interpreter would optimize away this allocation.  However, given the
number of times we call `html_safe` it seems worth the shedding idealism
and going for performance.  This line was the top allocation spot for a
scaffold (and presumably worse on real applications).

[ci skip]
Fixes #20808

[Vipul A M & Julio Lopez]

[ci skip]

Use `ActiveSupport::Multibyte::Unicode.tidy_bytes` to handle invalid UTF-8
strings in `ERB::Util.unwrapped_html_escape` and `ERB::Util.html_escape_once`.
Prevents user-entered input passed from a querystring into a form field from
causing invalid byte sequence errors.

`coder.represent_scalar` means something along the lines of "Here is a quoted
string, you can just add it to the output", which is not the case here. It only
works for simple strings that can appear unquoted in YAML, but causes problems
for e.g. primitive-like strings ("1", "true").

`coder.represent_object` on the other hand, means that "This is the Ruby-object
representation for this thing suitable for use in YAML dumping", which is what
we want here.

Before:

   YAML.load ActiveSupport::SafeBuffer.new("Hello").to_yaml  # => "Hello"
   YAML.load ActiveSupport::SafeBuffer.new("true").to_yaml   # => true
   YAML.load ActiveSupport::SafeBuffer.new("false").to_yaml  # => false
   YAML.load ActiveSupport::SafeBuffer.new("1").to_yaml      # => 1
   YAML.load ActiveSupport::SafeBuffer.new("1.1").to_yaml    # => 1.1

 After:

   YAML.load ActiveSupport::SafeBuffer.new("Hello").to_yaml  # => "Hello"
   YAML.load ActiveSupport::SafeBuffer.new("true").to_yaml   # => "true"
   YAML.load ActiveSupport::SafeBuffer.new("false").to_yaml  # => "false"
   YAML.load ActiveSupport::SafeBuffer.new("1").to_yaml      # => "1"
   YAML.load ActiveSupport::SafeBuffer.new("1.1").to_yaml    # => "1.1"

If we ever want Ruby to behave more like PHP or JavaScript though, this is an
excellent trick to use ;)

When trying to access a character on a string buffer object via `:[]`, if the object being accessed currently returns `html_safe?` as true,
we used to set  `@html_safe` variable as true on new object created. When doing something like

x = 'Hello'.html_safe
x[/a/, 1]

would throw an error on ruby 2.2, since when nothign gets matched nil is returned by the code and it tries to set   `@html_safe` value to true,
which would error since starting 2.2 nil is frozen.

This change adds a safety net to avoid setting `@html_safe = true` on frozen objects.

Fixes #18235

It should be part of the documented public API, since we have an entire
section of the guides dedicated to it. Documented in a way that
addresses the concerns which kept it undocumented in the past.

(This is a manual merge of #9102)

before this change, we were allocating AS::SafeBuffer objects that were
being interpolated in to a string, so the safe buffer object was being
thrown away.  This change only allocates a string (vs a string *and* a
safebuffer) and interpolates the string.

On my test application, this reduced the AS::SafeBuffer objects from
1527k per request to about 500 per request.

html_escape_interpolated_argument is only used in mutation methods:

  https://github.com/rails/rails/blob/c07d09559ec171e1904b55c7ad7e8c7d586ca51b/activesupport/lib/active_support/core_ext/string/output_safety.rb#L174
  https://github.com/rails/rails/blob/c07d09559ec171e1904b55c7ad7e8c7d586ca51b/activesupport/lib/active_support/core_ext/string/output_safety.rb#L179

The return value doesn't need to be converted to an AS::SafeBuffer since
we know that the current object is an AS::SafeBuffer and will be
mutated, and the return value from html_escape_interpolated_argument
will be thrown away

Change to require all active_support/deprecation since that's the actual
entry point for the deprecation methods.

Make `#prepend` method modify instance in-place and return self
instead of just returning modified value. That is exactly what
`#prepend!` method was doing previously, so it's deprecated from
now on.

Amended json_escape comment to clarify that user-generated content must still be html_escaped if being inserted ingot he DOM via JQuery's html() method.

The behavior of json_escape was fixed in 2f1c5789, but the doc
changes and example in that commit incorrectly indicated that the
return value would be html-safe. Since quotation marks are
preserved, the raw value is not safe to use in other contexts
(specifically HTML attributes).

Interpolation was untested and did not work with hash arguments.

Adds
- support for interpolation with hash argument
- tests for the above
- tests for safe/unsafe interpolation

Use the already existing strings instead of creating a new one each time
just to test if it responds to the methods.

This reverts commit 8ce3c1e5, reversing
changes made to f93da579.

Reason: It slow down the running time.

require "diffbench"
load 'output_safety.rb'

N = 10000
b = ActiveSupport::SafeBuffer.new("hello world")
DiffBench.bm do
  report "capitalize in safe buffer" do
    N.times do
      b.capitalize
    end
  end
end

> git checkout  069ea45c; diffbench bench.rb;
diffbench bench.rb;diffbench
bench.rb;diffbench bench.rb;diffbench
bench.rb;diffbench bench.rb;diffbench
bench.rb;

Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again

                    user     system      total
                    real
----------------------------------capitalize
in safe buffer
After patch:    0.010000   0.000000   0.010000
(  0.009733)
Before patch:   0.010000   0.000000   0.010000
(  0.007702)
Improvement: -26%

Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again

                    user     system      total
                    real
----------------------------------capitalize
in safe buffer
After patch:    0.010000   0.000000   0.010000
(  0.009768)
Before patch:   0.010000   0.000000   0.010000
(  0.007896)
Improvement: -24%

Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again

                    user     system      total
                    real
----------------------------------capitalize
in safe buffer
After patch:    0.010000   0.000000   0.010000
(  0.009938)
Before patch:   0.010000   0.000000   0.010000
(  0.007768)
Improvement: -28%

Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again

                    user     system      total
                    real
----------------------------------capitalize
in safe buffer
After patch:    0.010000   0.000000   0.010000
(  0.010001)
Before patch:   0.010000   0.000000   0.010000
(  0.007873)
Improvement: -27%

Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again

                    user     system      total
                    real
----------------------------------capitalize
in safe buffer
After patch:    0.010000   0.000000   0.010000
(  0.009670)
Before patch:   0.010000   0.000000   0.010000
(  0.007800)
Improvement: -24%

Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again

                    user     system      total
                    real
----------------------------------capitalize
in safe buffer
After patch:    0.010000   0.000000   0.010000
(  0.009949)
Before patch:   0.010000   0.000000   0.010000
(  0.007752)
Improvement: -28%

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

This reverts commit fa6d921e.

Reason: Not a fan of such massive changes. We usually close such changes
if made to Rails master as a pull request. Following the same principle
here and reverting.

[ci skip]

For future reference, this is the regex I used: ^\s*#\s*\n(?!\s*#). Replace
with the first match, and voilà! Note that the regex matches a little bit too
much, so you probably want to `git add -i .` and go through every single diff
to check if it actually should be changed.