Plus a couple of related ActionPack patches.

see: https://bugs.ruby-lang.org/issues/6696

- `check_parameters` kwargs was added to the `current_page?` method, the implementation was assuming only hashes responds to `delete`. This was causing issues when `current_page?` was called with a Active Model object
- ref https://github.com/rails/rails/pull/27549
- Fixes #28846

- This method was added in this commit https://github.com/rails/rails/commit/33258d713a4bc20b71e92fd656c923a7b189cd33
- The last caller got removed there https://github.com/rails/rails/commit/0b6ce3422370647cad3e91263a291f69b313d65b

Since this protection is now in Parameters we can use it instead of
reimplementing again.

(I personally prefer writing one string in one line no matter how long it is, though)

Example:

For "http://www.example.com/shop/checkout?order=desc&page=1"

current_page?('http://www.example.com/shop/checkout')
=> true

current_page?(
  'http://www.example.com/shop/checkout',
  check_parameters: true
)
=> false

```
% git grep -n permited
actionview/test/template/url_helper_test.rb:238:  def test_button_to_with_permited_strong_params
actionview/test/template/url_helper_test.rb:245:  def test_button_to_with_unpermited_strong_params
activerecord/test/cases/relations_test.rb:1620:  def test_update_on_relation_passing_active_record_object_is_not_permited
```

Before, an error would be raised saying that the method `to_param` was
undefined on the instance of `ActionController::Parameters`. Now, we are
checking to see if the `params` object being passed to `button_to`
responds to the `permitted?` method, and if so, we will call `to_h` on it. If it
does not respond to `permitted?`, then the `params` will remain
unchanged.

[Jon Moss, Rafael Mendonça França]

Style/SpaceBeforeBlockBraces
Style/SpaceInsideBlockBraces
Style/SpaceInsideHashLiteralBraces

Fix all violations in the repository.

A few have been left for aesthetic reasons, but have made a pass
and removed most of them.

Note that if the method `foo` returns an array, `foo << 1`
is a regular push, nothing to do with assignments, so
no self required.

The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.

Follow up to #23980.

In e6e0579d the `params` option was added to the `button_to` helper. However, the patch doesn't support nested hashes so `{a: {b: 'c'}}` for example gets turned into a hidden form input with the name 'a' and the value being the string representation of the `{b: 'c'}` nested hash.

Since Rails supports nested hashes everywhere else (and even in the URL params of link_to and button_to), I believe this to be a bug/unfinished feature.

html_safe is not supposed to be public API for AV. This change removes usage of html_safe in favour of raw() in AV helpers.
Also changed usage of html_safe to make use of raw() instead so that the intended behaviour is verified with raw()

`link_to :back` creates a link to whatever was
passed in via the referer header. If an attacker
can alter the referer header, that would create
a cross-site scripting vulnerability on every
page that uses `link_to :back`

This commit restricts the back URL to valid
non-javascript URLs.

https://github.com/rails/rails/issues/14444

It used to behave like this:

    url_for(controller: 'x', action: 'y', q: {})
    # -> "/x/y?"

We previously avoided empty query strings in most cases by removing
nil values, then checking whether params was empty.  But as you can
see above, even non-empty params can yield an empty query string.  So
I changed the code to just directly check whether the query string
ended up empty.

(To make everything more consistent, the "removing nil values"
functionality should probably move to ActionPack's Hash#to_query, the
place where empty hashes and arrays get removed.  However, this would
change a lot more behavior.)

`hfvalue` parts should always be percent encoded, so lets do that!

Revert "use path escaping for email addresses"

This reverts commit 21ffef38.

Due to e25fdad2, we are correctly using
path escaping for email addresses.  This commit fixes the tests to
expect path escaping.

The `url_for` methods in `actionpack` and `actionview`
now make a copy of the provided options
before generating polymorphic paths or URLs.

The bug in the previous behavior
is most noticeable in a case like:

    url_options = [:new, :post, param: 'value']

    if current_page?(url_options)
      css_class = "active"
    end

    link_to "New Post", url_options, class: css_class

Prompted by:
https://github.com/rails/rails/commit/e38dd7bfa4360e241eadf0cf44abdf86ea33a393#commitcomment-11011496

/cc @kuldeepaggarwal

This illustrates the purpose of the block for `link_to_if` and
`link_to_unless` helper methods.

It should help to prevent further mistakes like #19844.

This reverts commit d459b001, reversing
changes made to 4d4950fa.

😓

The block is not supposed to be passed to `link_to`. It's used for a
customized behavior of the `condtion = false` case. The docs
illustrate that like so:

```
<%=
   link_to_if(@current_user.nil?, "Login", { controller: "sessions", action: "new" }) do
     link_to(@current_user.login, { controller: "accounts", action: "show", id: @current_user })
   end
%>
```

Fixed test for deprecation warning in actionview, renaming from https://github.com/rails/rails/commit/baf14ae513337cb185acf865e93dfc48f3aabf6a

when mail_to generate blank options for any passed options(cc, bcc, body, subject)
then MICROSOFT OUTLOOK treats it differently and set wrong values in different options.