From: "shugo (Shugo Maeda)" Date: 2012-08-13T13:11:45+09:00 Subject: [ruby-core:47144] [ruby-trunk - Bug #6861] ERB::Util.escape_html is not escaping single quotes Issue #6861 has been updated by shugo (Shugo Maeda). Assignee set to shugo (Shugo Maeda) Hello, Thanks for your report. spastorino (Santiago Pastorino) wrote: > OWASP suggest escaping &, <, >, ", ' and / > https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content > > About / I don't think could lead to issues but that's another story. Agreed. > You have the right code in CGI.escapeHTML > https://github.com/ruby/ruby/blob/c47cca2f/lib/cgi/util.rb#L36 so my > suggestion is to reuse CGI.escapeHTML from ERB::Util I and SEKI have discussed it, and have agreed to use cgi/util. CGI.escapeHTML has a problem that is uses ' instead of ', but xibbar will fix it later. ---------------------------------------- Bug #6861: ERB::Util.escape_html is not escaping single quotes https://bugs.ruby-lang.org/issues/6861#change-28817 Author: spastorino (Santiago Pastorino) Status: Open Priority: Normal Assignee: shugo (Shugo Maeda) Category: Target version: ruby -v: 2.0.0dev We just fixed this issue in Rails https://groups.google.com/forum/#!msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J%5B1-25%5D Ruby's ERB is not escaping single quotes and this could lead to security issues like ... My Link! being link = " '; alert(hax) " OWASP suggest escaping &, <, >, ", ' and / https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content About / I don't think could lead to issues but that's another story. You have the right code in CGI.escapeHTML https://github.com/ruby/ruby/blob/c47cca2f/lib/cgi/util.rb#L36 so my suggestion is to reuse CGI.escapeHTML from ERB::Util I've sent a pull request https://github.com/ruby/ruby/pull/156 -- http://bugs.ruby-lang.org/