Custom html_escape method never used

I was looking at old patches, and came across:

When I tried to reproduce, I found that the rails version wasn't getting called at all, whether references by "html_escape" or "h".

It looks like when util.rb does -require 'erb'-, erb loads the code in util.rb first, then goes back and overwrites the definition of the method. Probably a side-effect of require-mucking in dependencies.rb, no?

Here's a gist that lays it all out


Here's a gist that lays it all out

181141’s gists · GitHub

I actually have a fix for this in the rails_xss branch which is due to hit for 3.0. I addition to redefining it for performance reasons we need to add awareness of the escaped status of the string.