Restore performance of ERB::Util.html_escape

Revert html_escape to do a single gsub again, but add the "n" flag (no
language, i.e. not multi-byte) to protect against XSS via invalid utf8

Signed-off-by: José Valim <jose.valim@gmail.com>

activesupport/lib/active_support/core_ext/string/output_safety.rb

@@ -20,7 +20,7 @@ class ERB
       if s.html_safe?
         s
       else
-        s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
+        s.gsub(/[&"><]/n) { |special| HTML_ESCAPE[special] }.html_safe
       end
     end
 

activesupport/test/core_ext/string_ext_test.rb

@@ -21,12 +21,6 @@ class StringInflectionsTest < Test::Unit::TestCase
   include InflectorTestCases
   include ConstantizeTestCases
 
-  def test_erb_escape
-    string = [192, 60].pack('CC')
-    expected = 192.chr + "&lt;"
-    assert_equal expected, ERB::Util.html_escape(string)
-  end
-
   def test_strip_heredoc_on_an_empty_string
     assert_equal '', ''.strip_heredoc
   end
@@ -497,6 +491,23 @@ class OutputSafetyTest < ActiveSupport::TestCase
     assert string.html_safe?
     assert !string.to_param.html_safe?
   end
+
+  test "ERB::Util.html_escape should escape unsafe characters" do
+    string = '<>&"'
+    expected = '&lt;&gt;&amp;&quot;'
+    assert_equal expected, ERB::Util.html_escape(string)
+  end
+
+  test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do
+    string = [192, 60].pack('CC')
+    expected = 192.chr + "&lt;"
+    assert_equal expected, ERB::Util.html_escape(string)
+  end
+
+  test "ERB::Util.html_escape should not escape safe strings" do
+    string = "<b>hello</b>".html_safe
+    assert_equal string, ERB::Util.html_escape(string)
+  end
 end
 
 class StringExcludeTest < ActiveSupport::TestCase