From 944bcb54f6bf98a2dddf2374e50c800e2b5e6306 Mon Sep 17 00:00:00 2001
From: eileencodes <eileencodes@gmail.com>
Date: Wed, 4 May 2022 13:12:51 -0400
Subject: [PATCH] Fix tag helper regression

Vue.js, alpinejs, and potentially other JS libraries support tags
starting with `@` symbols. This was broken by the recent security release in
https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85

I've only added `@` to the list even though there are potentially other
safe characters. We can add more if necessary (and if safe).

Fixes:
* #45014
* #44972
---
 actionview/test/template/tag_helper_test.rb                     | 2 ++
 .../lib/active_support/core_ext/string/output_safety.rb         | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/actionview/test/template/tag_helper_test.rb b/actionview/test/template/tag_helper_test.rb
index f401dfb699fd8..239309f7c7dc0 100644
--- a/actionview/test/template/tag_helper_test.rb
+++ b/actionview/test/template/tag_helper_test.rb
@@ -201,6 +201,8 @@ def test_content_tag
                  content_tag(:p, "<script>evil_js</script>")
     assert_equal "<p><script>evil_js</script></p>",
                  content_tag(:p, "<script>evil_js</script>", nil, false)
+    assert_equal "<div @click=\"triggerNav()\">test</div>",
+                 content_tag(:div, "test", "@click": "triggerNav()")
   end
 
   def test_tag_builder_with_content
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index d4ffff58965b0..597428ceeec43 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -12,7 +12,7 @@ module Util
     JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
 
     # Following XML requirements: https://www.w3.org/TR/REC-xml/#NT-Name
-    TAG_NAME_START_REGEXP_SET = ":A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}" \
+    TAG_NAME_START_REGEXP_SET = "@:A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}" \
                                 "\u{200C}-\u{200D}\u{2070}-\u{218F}\u{2C00}-\u{2FEF}\u{3001}-\u{D7FF}\u{F900}-\u{FDCF}" \
                                 "\u{FDF0}-\u{FFFD}\u{10000}-\u{EFFFF}"
     TAG_NAME_START_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}]/