escape_utils

EscapeUtils used to provide optimized escaping function to replace the slow methods provided by Ruby. Since Ruby 2.5, the various CGI escape methods have been severely optimized and most EscapeUtils methods became irrelevant and were deprecated.

It however still provide fast escaping and unescaping methods for URL (RFC 3986), Javascript, XML, as well as an "escape HTML once" method.

It has monkey-patches for Rack::Utils, URI and ERB::Util so you can drop this in and have your app start escaping fast as balls in no time

Compatible with Ruby 2.5+

gem install escape_utils

escape_utils assumes all input is encoded as valid UTF-8. If you are dealing with other encodings do your best to transcode the string into a UTF-8 byte stream before handing it to escape_utils.

utf8_string = non_utf8_string.encode(Encoding::UTF_8)

As of escape_utils 1.3.0, regular HTML escaping methods are deprecated. Ruby 2.5 introduced C implementations for CGI.escapeHTML and CGI.unescapeHTML which are respectively faster and almost as fast as EscapeUtils. Use that instead.

To avoid double-escaping HTML entities, use EscapeUtils.escape_html_once.

Since historically, HTML monkey patches changed the return value for ActiveSupport::SafeBuffer instances, they are conserved for that purpose only, but they should be considered as deprecated as well.

require 'escape_utils/html/cgi' # to patch CGI

Use escape_uri and unescape to get RFC 3986 compliant escaping (like PHP rawurlencode or ERB::Util.url_encode).

The difference with CGI.escape is that spaces ( ) are encoded as %20 instead of +.

url = "https://www.yourmom.com/cgi-bin/session.cgi?sess_args=mcEA~!!#*YH*>@!U"
escaped_url = EscapeUtils.escape_uri(url)

url = "https://www.yourmom.com/cgi-bin/session.cgi?sess_args=mcEA~!!#*YH*>@!U"
escaped_url = EscapeUtils.escape_uri(url)
EscapeUtils.unescape_uri(escaped_uri) == url # => true

require 'escape_utils/url/erb' # to patch ERB::Util
require 'escape_utils/url/uri' # to patch URI

Note that URI.escape and URI.unescape were removed in Ruby 3.0. 'escape_utils/url/uri' is a noop on Ruby 3+.

xml = `curl -s 'https://raw.githubusercontent.com/darcyliu/google-styleguide/master/cppguide.xml'`
escaped_xml = EscapeUtils.escape_xml(xml)

javascript = `curl -s http://code.jquery.com/jquery-1.4.2.js`
escaped_javascript = EscapeUtils.escape_javascript(javascript)

javascript = `curl -s http://code.jquery.com/jquery-1.4.2.js`
escaped_javascript = EscapeUtils.escape_javascript(javascript)
EscapeUtils.unescape_javascript(escaped_javascript) == javascript # => true

require 'escape_utils/javascript/action_view' # to patch ActionView::Helpers::JavaScriptHelper

Escaping URL following RFC 3986 is 13-32x faster than the methods provided by Ruby.

Escaping Javascript is around 13x faster than Rails escape_javascript.

EscapeUtils.escape_html_once is about 17x faster than Rails escape_once.

This output is from my laptop using the benchmark scripts in the benchmarks folder.

EscapeUtils.escape_javascript:                               1567.5 i/s
ActionView::Helpers::JavaScriptHelper#escape_javascript:      116.8 i/s - 13.42x  (± 0.00) slower

EscapeUtils.escape_javascript:    2.089k (± 3.0%) i/s -     10.530k in   5.044615s

I didn't look that hard, but I'm not aware of another ruby library that does Javascript unescaping to benchmark against. Anyone know of any?

EscapeUtils.escape_uri:       4019359.2 i/s
fast_xs_extra#fast_xs_url:    2435949.2 i/s - 1.65x  (± 0.00) slower
URI::DEFAULT_PARSER.escape:   288800.8 i/s - 13.92x  (± 0.00) slower
ERB::Util.url_encode:         122373.5 i/s - 32.85x  (± 0.00) slower

EscapeUtils.unescape_uri:    3866774.5 i/s
fast_xs_extra#fast_uxs_url:  2438900.7 i/s - 1.59x  (± 0.00) slower

EscapeUtils.escape_html_once:                   2831.5 i/s
ActionView::Helpers::TagHelper#escape_once:      161.4 i/s - 17.55x  (± 0.00) slower