Project

General

Profile

Bug #5485 ยป owasp.patch

owasp escaping rules - tenderlovemaking (Aaron Patterson), 10/26/2011 02:41 AM

View differences:

lib/erb.rb
# is a > 0 & a < 10?
#
def html_escape(s)
s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;")
s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").gsub(/'/, "&#x27;").gsub(/\//, "&#x2F;")
end
alias h html_escape
module_function :h
test/erb/test_erb.rb
class TestERB < Test::Unit::TestCase
class MyError < RuntimeError ; end
def test_html_escape
{
'&' => '&amp;',
'"' => '&quot;',
'>' => '&gt;',
'<' => '&lt;',
"'" => '&#x27;',
'/' => '&#x2F;'
}.each do |original, escaped|
assert_equal escaped, ERB::Util.h(original)
end
end
def test_without_filename
erb = ERB.new("<% raise ::TestERB::MyError %>")
e = assert_raise(MyError) {
    (1-1/1)