require'erb'require'active_support/core_ext/kernel/singleton_class'classERBmoduleUtilHTML_ESCAPE={'&'=>'&','>'=>'>','<'=>'<','"'=>'"'}JSON_ESCAPE={'&'=>'\u0026','>'=>'\u003E','<'=>'\u003C'}# Detect whether 1.9 can transcode with XML escaping.if'"><&""'==('><&"'.encode('utf-8',:xml=>:attr)rescuefalse)# A utility method for escaping HTML tag characters.# This method is also aliased as <tt>h</tt>.## In your ERB templates, use this method to escape any unsafe content. For example:# <%=h @person.name %>## ==== Example:# puts html_escape("is a > 0 & a < 10?")# # => is a > 0 & a < 10?defhtml_escape(s)s=s.to_sifs.html_safe?selses.encode(s.encoding,:xml=>:attr)[1...-1].html_safeendendelsedefhtml_escape(s)#:nodoc:s=s.to_sifs.html_safe?selses.gsub(/[&"><]/n){|special|HTML_ESCAPE[special]}.html_safeendendend# Aliasing twice issues a warning "discarding old...". Remove first to avoid it.remove_method(:h)aliashhtml_escapemodule_function:hsingleton_class.send(:remove_method,:html_escape)module_function:html_escape# A utility method for escaping HTML entities in JSON strings# using \uXXXX JavaScript escape sequences for string literals:## json_escape("is a > 0 & a < 10?")# # => is a \u003E 0 \u0026 a \u003C 10?## Note that after this operation is performed the output is not# valid JSON. In particular double quotes are removed:## json_escape('{"name":"john","created_at":"2010-04-28T01:39:31Z","id":1}')# # => {name:john,created_at:2010-04-28T01:39:31Z,id:1}## This method is also aliased as +j+, and available as a helper# in Rails templates:## <%=j @person.to_json %>#defjson_escape(s)result=s.to_s.gsub(/[&"><]/){|special|JSON_ESCAPE[special]}s.html_safe??result.html_safe:resultendaliasjjson_escapemodule_function:jmodule_function:json_escapeendendclassObjectdefhtml_safe?falseendendclassNumericdefhtml_safe?trueendendmoduleActiveSupport#:nodoc:classSafeBuffer<StringUNSAFE_STRING_METHODS=["capitalize","chomp","chop","delete","downcase","gsub","lstrip","next","reverse","rstrip","slice","squeeze","strip","sub","succ","swapcase","tr","tr_s","upcase","prepend"].freezealias_method:original_concat,:concatprivate:original_concatclassSafeConcatError<StandardErrordefinitializesuper"Could not concatenate to the buffer because it is not html safe."endenddef[](*args)returnsuperifargs.size<2ifhtml_safe?new_safe_buffer=supernew_safe_buffer.instance_eval{@html_safe=true}new_safe_bufferelseto_str[*args]endenddefsafe_concat(value)raiseSafeConcatErrorunlesshtml_safe?original_concat(value)enddefinitialize(*)@html_safe=truesuperenddefinitialize_copy(other)super@html_safe=other.html_safe?enddefclone_emptyself[0,0]enddefconcat(value)if!html_safe?||value.html_safe?super(value)elsesuper(ERB::Util.h(value))endendalias<<concatdef+(other)dup.concat(other)enddefhtml_safe?defined?(@html_safe)&&@html_safeenddefto_sselfenddefto_paramto_strenddefencode_with(coder)coder.represent_scalarnil,to_strenddefto_yaml(*args)returnsuper()ifdefined?(YAML::ENGINE)&&!YAML::ENGINE.syck?to_str.to_yaml(*args)endUNSAFE_STRING_METHODS.eachdo|unsafe_method|if'String'.respond_to?(unsafe_method)class_eval<<-EOT,__FILE__,__LINE__+1
def #{unsafe_method}(*args, &block) # def capitalize(*args, &block)
to_str.#{unsafe_method}(*args, &block) # to_str.capitalize(*args, &block)
end # end
def #{unsafe_method}!(*args) # def capitalize!(*args)
@html_safe = false # @html_safe = false
super # super
end # end
EOTendendendendclassStringdefhtml_safeActiveSupport::SafeBuffer.new(self)endend