From: "naruse (Yui NARUSE)" Date: 2012-08-14T15:13:49+09:00 Subject: [ruby-core:47177] [ruby-trunk - Bug #6861] ERB::Util.escape_html is not escaping single quotes Issue #6861 has been updated by naruse (Yui NARUSE). shugo (Shugo Maeda) wrote: > naruse (Yui NARUSE) wrote: > > ���������������' ������������������������1��������������������� > > https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content > > ���Using hex entities is recommended in the spec��������������������������������� > ������������������������������������������������������������������ > 10������������16������������������������������������HTML 4.01���spec������������������������������������������ ��������������������� ---------------------------------------- Bug #6861: ERB::Util.escape_html is not escaping single quotes https://bugs.ruby-lang.org/issues/6861#change-28857 Author: spastorino (Santiago Pastorino) Status: Closed Priority: Normal Assignee: shugo (Shugo Maeda) Category: Target version: ruby -v: 2.0.0dev We just fixed this issue in Rails https://groups.google.com/forum/#!msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J%5B1-25%5D Ruby's ERB is not escaping single quotes and this could lead to security issues like ... My Link! being link = " '; alert(hax) " OWASP suggest escaping &, <, >, ", ' and / https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content About / I don't think could lead to issues but that's another story. You have the right code in CGI.escapeHTML https://github.com/ruby/ruby/blob/c47cca2f/lib/cgi/util.rb#L36 so my suggestion is to reuse CGI.escapeHTML from ERB::Util I've sent a pull request https://github.com/ruby/ruby/pull/156 -- http://bugs.ruby-lang.org/