Bug #6850: It's not recommended to escape ' to ' - Ruby master - Ruby Issue Tracking System

Actions

Bug #6850

closed

It's not recommended to escape ' to '

Added by spastorino (Santiago Pastorino) over 12 years ago. Updated about 12 years ago.

Status:

Closed

Assignee:

xibbar (Takeyuki FUJIOKA)

Target version:

ruby -v:

2.0.0dev

Backport:

[ruby-core:47095]

Description

OWASP doesn't recommend it https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
and ' is not a valid in HTML4 http://www.w3.org/TR/html4/sgml/entities.html

I've made a Pull Request on github too https://github.com/ruby/ruby/pull/154

Related issues 1 (0 open — 1 closed)

Actions

#1 [ruby-core:47099]

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Assignee set to xibbar (Takeyuki FUJIOKA)

Actions

#2 [ruby-core:47100]

Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago

Status changed from Open to Assigned

Actions

#3 [ruby-core:47154]

Updated by spastorino (Santiago Pastorino) about 12 years ago

I've just updated the pull request to take in consideration https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/36687

Actions

#4

Updated by xibbar (Takeyuki FUJIOKA) about 12 years ago

Status changed from Assigned to Closed
% Done changed from 0 to 100

This issue was solved with changeset r36692.
Santiago, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.

Tue Aug 14 11:55:37 2012 Takeyuki FUJIOKA xibbar@ruby-lang.org

lib/cgi/util.rb (CGI::escapeHTML): ' is not recommended. [Bug #6850]

Actions

Also available in: Atom PDF

Like0

Like0Like0Like0Like0