From: "spastorino (Santiago Pastorino)" Date: 2012-08-13T01:20:16+09:00 Subject: [ruby-core:47138] [ruby-trunk - Bug #6861][Open] ERB::Util.escape_html is not escaping single quotes Issue #6861 has been reported by spastorino (Santiago Pastorino). ---------------------------------------- Bug #6861: ERB::Util.escape_html is not escaping single quotes https://bugs.ruby-lang.org/issues/6861 Author: spastorino (Santiago Pastorino) Status: Open Priority: Normal Assignee: Category: Target version: ruby -v: 2.0.0dev We just fixed this issue in Rails https://groups.google.com/forum/#!msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J%5B1-25%5D Ruby's ERB is not escaping single quotes and this could lead to security issues like ... My Link! being link = " '; alert(hax) " OWASP suggest escaping &, <, >, ", ' and / https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content About / I don't think could lead to issues but that's another story. You have the right code in CGI.escapeHTML https://github.com/ruby/ruby/blob/c47cca2f/lib/cgi/util.rb#L36 so my suggestion is to reuse CGI.escapeHTML from ERB::Util I've sent a pull request https://github.com/ruby/ruby/pull/156 -- http://bugs.ruby-lang.org/