Feature #6620

Add ' to CGI's HTML escaping

Added by Eric Hodel over 2 years ago. Updated over 2 years ago.

[ruby-core:45760]
Status:Closed
Priority:Normal
Assignee:Takeyuki FUJIOKA


Related issues

Related to Ruby trunk - Bug #5485: ERB html_escape should follow OWASP recommendations Closed 10/26/2011

Associated revisions

Revision 36299
Added by Takeyuki FUJIOKA over 2 years ago

Wed Jul 4 08:24:28 2012 Takeyuki FUJIOKA xibbar@ruby-lang.org

  • lib/cgi/util.rb: Add ' to CGI's HTML escaping.[Feature #6620]

Revision 36299
Added by Takeyuki FUJIOKA over 2 years ago

Wed Jul 4 08:24:28 2012 Takeyuki FUJIOKA xibbar@ruby-lang.org

  • lib/cgi/util.rb: Add ' to CGI's HTML escaping.[Feature #6620]

Revision 36422
Added by Takeyuki FUJIOKA over 2 years ago

Wed Jul 18 07:59:29 2012 Takeyuki FUJIOKA xibbar@ruby-lang.org

  • lib/cgi/util.rb (CGI.escapeHTML,unescapeHTML): Add ' for HTML5 escaping. [Feature #6620]

Revision 36422
Added by Takeyuki FUJIOKA over 2 years ago

Wed Jul 18 07:59:29 2012 Takeyuki FUJIOKA xibbar@ruby-lang.org

  • lib/cgi/util.rb (CGI.escapeHTML,unescapeHTML): Add ' for HTML5 escaping. [Feature #6620]

History

#1 Updated by Takeyuki FUJIOKA over 2 years ago

  • Status changed from Open to Assigned

#2 Updated by Takeyuki FUJIOKA over 2 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r36299.
Eric, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


Wed Jul 4 08:24:28 2012 Takeyuki FUJIOKA xibbar@ruby-lang.org

  • lib/cgi/util.rb: Add ' to CGI's HTML escaping.[Feature #6620]

#3 Updated by Takeyuki FUJIOKA over 2 years ago

  • Status changed from Closed to Rejected

' is not html but xml specification.

#4 Updated by Moxley Stratton over 2 years ago

' is a valid entity for both XHML (http://www.w3.org/TR/xhtml1/dtds.html) and HTML5 (http://www.w3.org/TR/2011/WD-html5-20110525/syntax.html#attributes-0), and is supported by all mainstream browsers. It is a potential security risk not to escape the apostrophe character, because the apostrophe is a valid quote character for attribute values. For example:

name = "' href='javascript:doSomethingBad()"
"Foo"

The above creates a link to "javascript:doSomethingBad()", not "/foo". At the very least, the apostrophe should be escaped to its numeric entity, ' because it is part of HTML syntax.

#5 Updated by Takeyuki FUJIOKA over 2 years ago

  • Status changed from Rejected to Assigned

Sorry, I confirmed this specification in HTML5.
I will import ' later.
Please wait.

#6 Updated by Takeyuki FUJIOKA over 2 years ago

  • Status changed from Assigned to Closed

This issue was solved with changeset r36422.
Eric, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


Wed Jul 18 07:59:29 2012 Takeyuki FUJIOKA xibbar@ruby-lang.org

  • lib/cgi/util.rb (CGI.escapeHTML,unescapeHTML): Add ' for HTML5 escaping. [Feature #6620]

Also available in: Atom PDF