escape.c: should not freeze

* ext/cgi/escape/escape.c (optimized_escape_html): CGI.escapeHTML
  should return unfrozen new string.
  [ruby-core:72426] [Bug #11858]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53234 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,9 @@
+Tue Dec 22 14:31:28 2015  Toru Iwase  <tietew@tietew.net>
+
+	* ext/cgi/escape/escape.c (optimized_escape_html): CGI.escapeHTML
+	  should return unfrozen new string.
+	  [ruby-core:72426] [Bug #11858]
+
 Tue Dec 22 05:39:58 2015  Takashi Kokubun  <takashikkbn@gmail.com>
 
 	* ext/cgi/escape/escape.c (preserve_original_state): Preserve

ext/cgi/escape/escape.c

@@ -30,7 +30,7 @@ preserve_original_state(VALUE orig, VALUE dest)
 {
     rb_enc_associate(dest, rb_enc_get(orig));
 
-    FL_SET_RAW(dest, FL_TEST_RAW(orig, FL_FREEZE|FL_TAINT));
+    RB_OBJ_INFECT_RAW(dest, orig);
 }
 
 static VALUE
@@ -69,7 +69,7 @@ optimized_escape_html(VALUE str)
 	return dest;
     }
     else {
-	return str;
+	return rb_str_dup(str);
     }
 }
 

test/cgi/test_cgi_util.rb

@@ -62,20 +62,36 @@ class CGIUtilTest < Test::Unit::TestCase
     assert_equal("&#39;&amp;&quot;&gt;&lt;", CGI::escapeHTML("'&\"><"))
   end
 
+  def test_cgi_escape_html_duplicated
+    orig = "Ruby".force_encoding("US-ASCII")
+    str = CGI::escapeHTML(orig)
+    assert_equal(orig, str)
+    assert_not_same(orig, str)
+  end
+
+  def assert_cgi_escape_html_preserve_encoding(str, encoding)
+    assert_equal(encoding, CGI::escapeHTML(str.dup.force_encoding(encoding)).encoding)
+  end
+
   def test_cgi_escape_html_preserve_encoding
-    assert_equal(Encoding::US_ASCII, CGI::escapeHTML("'&\"><".force_encoding("US-ASCII")).encoding)
-    assert_equal(Encoding::ASCII_8BIT, CGI::escapeHTML("'&\"><".force_encoding("ASCII-8BIT")).encoding)
-    assert_equal(Encoding::UTF_8, CGI::escapeHTML("'&\"><".force_encoding("UTF-8")).encoding)
+    Encoding.list do |enc|
+      assert_cgi_escape_html_preserve_encoding("'&\"><", enc)
+      assert_cgi_escape_html_preserve_encoding("Ruby", enc)
+    end
   end
 
   def test_cgi_escape_html_preserve_tainted
-    assert_equal(false, CGI::escapeHTML("'&\"><").tainted?)
-    assert_equal(true, CGI::escapeHTML("'&\"><".taint).tainted?)
+    assert_not_predicate CGI::escapeHTML("'&\"><"),       :tainted?
+    assert_predicate     CGI::escapeHTML("'&\"><".taint), :tainted?
+    assert_not_predicate CGI::escapeHTML("Ruby"),         :tainted?
+    assert_predicate     CGI::escapeHTML("Ruby".taint),   :tainted?
   end
 
-  def test_cgi_escape_html_preserve_frozen
-    assert_equal(false, CGI::escapeHTML("'&\"><".dup).frozen?)
-    assert_equal(true, CGI::escapeHTML("'&\"><".freeze).frozen?)
+  def test_cgi_escape_html_dont_freeze
+    assert_not_predicate CGI::escapeHTML("'&\"><".dup),    :frozen?
+    assert_not_predicate CGI::escapeHTML("'&\"><".freeze), :frozen?
+    assert_not_predicate CGI::escapeHTML("Ruby".dup),      :frozen?
+    assert_not_predicate CGI::escapeHTML("Ruby".freeze),   :frozen?
   end
 
   def test_cgi_unescapeHTML