From: Shugo Maeda Date: 2012-08-13T10:30:26+09:00 Subject: [ruby-dev:46037] Re: [ruby-core:47138] [ruby-trunk - Bug #6861][Open] ERB::Util.escape_html is not escaping single quotes 咳さん 前田です。 以下のチケットが登録されています。 HTMLではどの文字をエスケープすべきかは文脈によって異なるので、現状の動作は仕様 だと思うのですが、利便性を考えると修正してもよいのかなと思いますが、どうでしょう。 CGI.escapeHTMLの方はすでに修正されていますが、対応するなら'じゃなくて' にすべきかなと思います。 2012/8/13 spastorino (Santiago Pastorino) : > > Issue #6861 has been reported by spastorino (Santiago Pastorino). > > ---------------------------------------- > Bug #6861: ERB::Util.escape_html is not escaping single quotes > https://bugs.ruby-lang.org/issues/6861 > > Author: spastorino (Santiago Pastorino) > Status: Open > Priority: Normal > Assignee: > Category: > Target version: > ruby -v: 2.0.0dev > > > We just fixed this issue in Rails > https://groups.google.com/forum/#!msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J%5B1-25%5D > > Ruby's ERB is not escaping single quotes and this could lead to > security issues like ... > > My Link! > being link = " '; alert(hax) " > > OWASP suggest escaping &, <, >, ", ' and / > https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content > > About / I don't think could lead to issues but that's another story. > > You have the right code in CGI.escapeHTML > https://github.com/ruby/ruby/blob/c47cca2f/lib/cgi/util.rb#L36 so my > suggestion is to reuse CGI.escapeHTML from ERB::Util > > I've sent a pull request https://github.com/ruby/ruby/pull/156 > > > -- > http://bugs.ruby-lang.org/ > -- Shugo Maeda