`link_to :back` creates a link to whatever was
passed in via the referer header. If an attacker
can alter the referer header, that would create
a cross-site scripting vulnerability on every
page that uses `link_to :back`

This commit restricts the back URL to valid
non-javascript URLs.

https://github.com/rails/rails/issues/14444

`hfvalue` parts should always be percent encoded, so lets do that!

Revert "use path escaping for email addresses"

This reverts commit 21ffef38.

Due to e25fdad2, we are correctly using
path escaping for email addresses.  This commit fixes the tests to
expect path escaping.

content_tag's first argument is will generate a string with an html tag so `:a` will generate: `<a></a>`. When this happens, the symbol is implicitly `to_s`-d so a new string is allocated. We can get around that by using a frozen string instead which

This change buys us 74,236 bytes of memory and 1,855 fewer objects per request.

No idea why on earth this hash key isn't already optimized by MRI, but it isn't. 💩

This change buys us 74,077 bytes of memory and 1,852 fewer objects per request.

This reverts commit d459b001, reversing
changes made to 4d4950fa.

😓

The block is not supposed to be passed to `link_to`. It's used for a
customized behavior of the `condtion = false` case. The docs
illustrate that like so:

```
<%=
   link_to_if(@current_user.nil?, "Login", { controller: "sessions", action: "new" }) do
     link_to(@current_user.login, { controller: "accounts", action: "show", id: @current_user })
   end
%>
```

add block to link_to_if when condition is true

No need to merge hashes when simply setting options does the job.

This logic was just doing duplicated work, since the button_to helper
relies on tag/content_tag to generate the button html, which already
handles all boolean attributes it knows about.

The code dates back to 2005: 43c470fa.

The `link_to` helper generates an HTML anchor element (consisting of opening and closing anchor tags and an element body). The docs currently state the a link tag is generated (which would indicate a tag like `<link>`, which is another valid HTML tag), so this change clarifies that an anchor element is actually generated.

[ci skip]

when mail_to generate blank options for any passed options(cc, bcc, body, subject)
then MICROSOFT OUTLOOK treats it differently and set wrong values in different options.

[ci skip]

89ff1f82 and 1de258e6 removed from the HTML generated by the form helpers
the <div> that was wrapping the field elements inside the <form>.

This commit updates the documentation of the methods to reflect the
two commits above.

In actionview, eliminate calls to tag that use html_safe parameter values. This is generally unnecessary, since tag handles string quoting, except in one case (utf8_enforcer_tag) where we want to specify the encoding ourselves.

Related with cbb91745

According to the best practice that "unless not" and "unless else"
is hard to follow logically the link_to_unless and link_to_if
were reversed.

I did not see in the docs that `button_to` supports not only URLs but paths as well. I documented this functionality with a unit tests and added an example to the docs as well.

The parameters are rendered as hidden form fields within the generated
form. This is useful for when a record has multiple buttons associated
with it, each of which target the same controller method, but which
need to submit different attributes.

Fixes warning

warning: URI.unescape is obsolete

In some cases webservers like nginx send the escaped characters
lowercased to the Rails application. The current_page? helper was
comparing the escaped strings that are different since Ruby escapes the
URL using uppercased characters.

Use link_to with block and url_hash, expect block as name.
But ignore block and use url_hash as name.
3-2-stable passes this test. 4-0-stable and master fail this.

concerning the options that it inherits from +url_for+. The way that
+polymorhpic_url+ is built allows it to have options
like +:anchor+, +:script_name+, etc. but this is currently not
documented.

Remove :confirm and :disable_with options for ActionView::Helpers::UrlHelper#link_to and #button_to were deprecated.

There's no need to use Hash#merge with a new hash just for setting the
href option to pass it through. Since we're always dealing with a new
html_options hash, we're free to just set the value instead.

The examples do not generate the output they intend to due to not explicitly declaring the hash separations. This causes it to be treated as one parameter instead of the intended two parameters.