From: "shugo (Shugo Maeda)" Date: 2012-08-14T13:35:51+09:00 Subject: [ruby-core:47176] [ruby-trunk - Bug #6861] ERB::Util.escape_html is not escaping single quotes Issue #6861 has been updated by shugo (Shugo Maeda). ��������������� naruse (Yui NARUSE) wrote: > ���������������' ������������������������1��������������������� https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content ���Using hex entities is recommended in the spec��������������������������������� ������������������������������������������������������������������ 10������������16������������������������������������HTML 4.01���spec������������������������������������������ ---------------------------------------- Bug #6861: ERB::Util.escape_html is not escaping single quotes https://bugs.ruby-lang.org/issues/6861#change-28856 Author: spastorino (Santiago Pastorino) Status: Closed Priority: Normal Assignee: shugo (Shugo Maeda) Category: Target version: ruby -v: 2.0.0dev We just fixed this issue in Rails https://groups.google.com/forum/#!msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J%5B1-25%5D Ruby's ERB is not escaping single quotes and this could lead to security issues like ... My Link! being link = " '; alert(hax) " OWASP suggest escaping &, <, >, ", ' and / https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content About / I don't think could lead to issues but that's another story. You have the right code in CGI.escapeHTML https://github.com/ruby/ruby/blob/c47cca2f/lib/cgi/util.rb#L36 so my suggestion is to reuse CGI.escapeHTML from ERB::Util I've sent a pull request https://github.com/ruby/ruby/pull/156 -- http://bugs.ruby-lang.org/