EscapeUtils used to provide optimized escaping function to replace the slow methods
provided by Ruby. Since Ruby 2.5, the various
CGI escape methods have been severely optimized
EscapeUtils methods became irrelevant and were deprecated.
It has monkey-patches for Rack::Utils, URI and ERB::Util so you can drop this in and have your app start escaping fast as balls in no time
Compatible with Ruby 2.5+
gem install escape_utils
Warning: UTF-8 only
escape_utils assumes all input is encoded as valid UTF-8. If you are dealing with other encodings do your best to transcode the string into a UTF-8 byte stream before handing it to escape_utils.
utf8_string = non_utf8_string.encode(Encoding::UTF_8)
escape_utils 1.3.0, regular HTML escaping methods are deprecated. Ruby 2.5 introduced C implementations for
CGI.unescapeHTML which are respectively faster and almost as fast as
EscapeUtils. Use that instead.
To avoid double-escaping HTML entities, use
HTML monkey patches changed the return value for
ActiveSupport::SafeBuffer instances, they are conserved for that purpose only, but they should be considered as deprecated as well.
require 'escape_utils/html/cgi' # to patch CGI
unescape to get RFC 3986 compliant escaping (like PHP
The difference with
CGI.escape is that spaces (
) are encoded as
%20 instead of
url = "https://www.yourmom.com/cgi-bin/session.cgi?sess_args=mcEA~!!#*YH*>@!U" escaped_url = .(url)
url = "https://www.yourmom.com/cgi-bin/session.cgi?sess_args=mcEA~!!#*YH*>@!U" escaped_url = .(url) .(escaped_uri) == url # => true
require 'escape_utils/url/erb' # to patch ERB::Util require 'escape_utils/url/uri' # to patch URI
URI.unescape were removed in Ruby 3.0.
'escape_utils/url/uri' is a noop on Ruby 3+.
xml = `curl -s 'https://raw.githubusercontent.com/darcyliu/google-styleguide/master/cppguide.xml'` escaped_xml = .(xml)
Escaping URL following RFC 3986 is 13-32x faster than the methods provided by Ruby.
EscapeUtils.escape_html_once is about 17x faster than Rails
This output is from my laptop using the benchmark scripts in the benchmarks folder.
EscapeUtils.escape_uri: 4019359.2 i/s fast_xs_extra#fast_xs_url: 2435949.2 i/s - 1.65x (± 0.00) slower URI::DEFAULT_PARSER.escape: 288800.8 i/s - 13.92x (± 0.00) slower ERB::Util.url_encode: 122373.5 i/s - 32.85x (± 0.00) slower
EscapeUtils.unescape_uri: 3866774.5 i/s fast_xs_extra#fast_uxs_url: 2438900.7 i/s - 1.59x (± 0.00) slower
EscapeUtils.escape_html_once: 2831.5 i/s ActionView::Helpers::TagHelper#escape_once: 161.4 i/s - 17.55x (± 0.00) slower