Feature #6620: Add ' to CGI's HTML escaping - Ruby master - Ruby Issue Tracking System

This issue was solved with changeset r36299.
Eric, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.

Wed Jul 4 08:24:28 2012 Takeyuki FUJIOKA xibbar@ruby-lang.org

lib/cgi/util.rb: Add ' to CGI's HTML escaping.[Feature #6620]

Actions

Copy link

#3 [ruby-core:46161]

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Status changed from Closed to Rejected

' is not html but xml specification.

Actions

Copy link

#4 [ruby-core:46260]

Updated by moxley (Moxley Stratton) over 12 years ago

' is a valid entity for both XHML (http://www.w3.org/TR/xhtml1/dtds.html) and HTML5 (http://www.w3.org/TR/2011/WD-html5-20110525/syntax.html#attributes-0), and is supported by all mainstream browsers. It is a potential security risk not to escape the apostrophe character, because the apostrophe is a valid quote character for attribute values. For example:

name = "' href='javascript:doSomethingBad()"
"Foo"

The above creates a link to "javascript:doSomethingBad()", not "/foo". At the very least, the apostrophe should be escaped to its numeric entity, ' because it is part of HTML syntax.

Actions

Copy link

#5 [ruby-core:46288]

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Status changed from Rejected to Assigned

Sorry, I confirmed this specification in HTML5.
I will import ' later.
Please wait.

Actions

Copy link

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Status changed from Assigned to Closed

This issue was solved with changeset r36422.
Eric, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.

Wed Jul 18 07:59:29 2012 Takeyuki FUJIOKA xibbar@ruby-lang.org

lib/cgi/util.rb (CGI.escapeHTML,unescapeHTML): Add ' for HTML5 escaping.
[Feature #6620]

Actions

Copy link

Also available in: Atom PDF

Like0

Like0Like0Like0Like0Like0Like0

Project

General

Profile

Ruby » Ruby master

Custom queries

Feature #6620

Add ' to CGI's HTML escaping

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Updated by moxley (Moxley Stratton) over 12 years ago

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Project

General

Profile

Ruby » Ruby master

Custom queries

Feature #6620

Add &apos; to CGI's HTML escaping

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Updated by moxley (Moxley Stratton) over 12 years ago

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Add ' to CGI's HTML escaping