https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

responses.

Processing controller actions in a separate thread allows us to work
around the rack api - we can allow the user to set status and headers,
then block until the first bytes are written.  As soon as the first
bytes are written, the main thread can return the status, headers, and
(essentially) a queue for the body.

When someone sends malformed authorization header, like:

    Authorization: Token foobar

given token should be just ignored and resource should not be authorized,
instead of raising error. Before this patch controller would return 401 header
only for well formed tokens, like:

    Authorization: Token token=foobar

and would return 500 in former case.

minitest/spec provides `describe`, so deprecate the rails version and
have people use the superclass version

Assuming the type ":touch", Collector.new was calling
send(:touch), which instead of triggering method_missing
and generating a new collector method, actually
invoked the private method `touch` inherited from
Object.

By generating the method for each mime type as it
is registered, the private methods on Object can
never be reached by `send`, because the `Collector`
will have them before `send` is called on it.

To do this, a callback mechanism was added to Mime::Type

This allows someone to add a callback for whenever
a new mime type is registered. The callback then
gets called with the new mime as a parameter.

This is then used in AbstractController::Collector
to generate new collector methods after each mime
is registered.

Signed-off-by: NFrançois de Metz <francois@stormz.me>

Deprecate usage of filter object with #before and #after
methods as around callback

To test uploading a file without using fixture_file_upload, a posted
ActionDispatch::Http::UploadedFile should not be paramified (just like
Rack::Test::UploadedFile).
(Rack::Test::UploadedFile and ActionDispatch::Http::UploadedFile don't
share the same API, tempfile is not accessible on
Rack::Test::UploadedFile as discussed in
https://github.com/brynary/rack-test/issues/30)

1. Change in test name as already defined.
2. ambiguous first argument; put parentheses or 
even spaces

Added test for case when view doesn't have logger method when using ActionController::Metal controller.

There are several aspects to this commit, that don't well fit into broken down
commits, so they are detailed here:

 * When a user uses response.headers['Cache-Control'] = some_value, then the
   documented convention in ConditionalGet is not adhered to, in this case,
   response.cache_control is ignored due to `return if
   self[CACHE_CONTROL].present?`
 * When a middleware sets cache-control headers that would clobber, they're
   converted to symbols directly, without underscores. This would lead to bugs.
 * Items that would live in :extras if set through expires_in, are placed
   directly in the @cache_control hash, and not respected in many cases
   (somewhat adhering to the aforementioned documentation).
 * Although quite useless, any directive named 'extras' would be ignored.

The general convention applied is that expires_* take precedence, but no longer
overwrite everything and expires_* are ALWAYS applied, even if the header is
set.

I am still unhappy about the contents of this commit, and the code in general.
Ideally it should be refactored to no longer use :extras. I'd likely recommend
expanding @cache_control into a class, and giving it the power to handle the
merge in a more efficient fashion. Such a commit would be a larger change that
could have additional semantic changes for other libraries unless they utilize
expires_in in very standard ways.

This middleware is only for Public Exceptions.
This follows bd8c0b8a

Module#methods are Symbols in Ruby >= 1.9

In integration tests, you might want to use helpers from engines that
you mounted in your application. It's not hard to add it by yourself,
but it's unneeded boilerplate. mounted_helpers are now included by
default. That means that given engine mounted like:

    mount Foo::Engine => "/foo", :as => "foo"

you will be able to use paths from this engine in tests this way:

    foo.root_path #=> "/foo"

(closes #6573)

Prior to this patch the existing .force_ssl method handles both defining
the filter and handling the logic for performing the redirect.

With this patch the logic for redirecting to the HTTPS protocol is
separated from the filter logic that determines if a redirect should
occur.  By separating the two levels of behavior, an instance method
for ActionController (i.e. #force_ssl_redirect) is exposed and available
for more granular SSL enforcement.

Cleaned up indentation.

When more than one directory for helpers is provided to a controller, it
should preserver the order of directories. Given 2 paths:

    MyController.helpers_paths = ["dir1/helpers", "dir2/helpers"]

helpers from dir1 should be loaded first. Before this commit, all
helpers were mixed and then sorted alphabetically, which essentially
would require to rename helpers to get desired order.

This is a problem especially for engines, where you would like to be
able to predict accurately which engine helpers will load first.

(closes #6496)

Although no recognized formats use non-ASCII characters, sometimes they
can be included in the :format parameter because of invalid URLS. To
prevent encoding incompatibility errors we need to escape them before
passing the path to URI.unescape.

Closes #4379

Before this change, assert_recognizes, assert_generates, and
assert_routing raised ActionController::RoutingError when they failed to
recognize the route.

This commit changes them to raise Assertion instead. This aligns with
convention for logical failures, and supports reporting tools that care
about the difference between logical failures and errors e.g. the
summary at the end of a test run.

- Fixes #5899

This commit improves the handling of default_url_options in integration
tests by making behave closer to how a real application operates.

Specifically the following issues have been addressed:

* Options specified in routes.rb are used (fixes #546)
* Options specified in controllers are used
* Request parameters are recalled correctly
* Tests can override default_url_options directly