From: "shugo (Shugo Maeda)" Date: 2012-08-14T09:49:25+09:00 Subject: [ruby-core:47166] [ruby-trunk - Bug #5485][Closed] ERB html_escape should follow OWASP recommendations Issue #5485 has been updated by shugo (Shugo Maeda). Status changed from Assigned to Closed Assignee changed from seki (Masatoshi Seki) to shugo (Shugo Maeda) fixed in r36687. ---------------------------------------- Bug #5485: ERB html_escape should follow OWASP recommendations https://bugs.ruby-lang.org/issues/5485#change-28845 Author: tenderlovemaking (Aaron Patterson) Status: Closed Priority: Normal Assignee: shugo (Shugo Maeda) Category: Target version: ruby -v: ruby 2.0.0dev (2011-10-25 trunk 33524) [x86_64-darwin11.2.0] Hi, OWASP recommends that we escape single quotes and forward slashes before inserting them in to HTML. I would like to change ERB::Util.html_escape to do that. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content I've attached a patch. Thanks! -- http://bugs.ruby-lang.org/