ruby-dev

咳さん

前田です。

以下のチケットが登録されています。

HTMLではどの文字をエスケープすべきかは文脈によって異なるので、現状の動作は仕様
だと思うのですが、利便性を考えると修正してもよいのかなと思いますが、どうでしょう。

CGI.escapeHTMLの方はすでに修正されていますが、対応するなら&apos;じゃなくて&#39;
にすべきかなと思います。

2012/8/13 spastorino (Santiago Pastorino) <santiago@wyeworks.com>:
>
> Issue #6861 has been reported by spastorino (Santiago Pastorino).
>
> ----------------------------------------
> Bug #6861: ERB::Util.escape_html is not escaping single quotes
> https://bugs.ruby-lang.org/issues/6861
>
> Author: spastorino (Santiago Pastorino)
> Status: Open
> Priority: Normal
> Assignee:
> Category:
> Target version:
> ruby -v: 2.0.0dev
>
>
> We just fixed this issue in Rails
> https://groups.google.com/forum/#!msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J%5B1-25%5D
>
> Ruby's ERB is not escaping single quotes and this could lead to
> security issues like ...
>
> <a href='<%= h link %>' >My Link!</a>
> being link = " '; alert(hax) "
>
> OWASP suggest escaping &, <, >, ", ' and /
> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
>
> About / I don't think could lead to issues but that's another story.
>
> You have the right code in CGI.escapeHTML
> https://github.com/ruby/ruby/blob/c47cca2f/lib/cgi/util.rb#L36 so my
> suggestion is to reuse CGI.escapeHTML from ERB::Util
>
> I've sent a pull request https://github.com/ruby/ruby/pull/156
>
>
> --
> http://bugs.ruby-lang.org/
>



-- 
Shugo Maeda

Thread

Prev Next

In This Thread

Prev Next

[#46026] Re: [ruby-cvs:43788] shugo:r36612 (trunk): * insns.def (invokesuper): don't skip the same class. instead, use — Urabe Shyouhei <shyouhei@...>

[#46030] [ruby-trunk - Bug #595] Fiber ignores ensure clause — "wanabe (_ wanabe)" <s.wanabe@...>

[#46032] 「Ruby安定版保守委託事業」の提案募集について — Shugo Maeda <shugo@...>

[#46037] Re: [ruby-core:47138] [ruby-trunk - Bug #6861][Open] ERB::Util.escape_html is not escaping single quotes — Shugo Maeda <shugo@...>

[#46049] [ruby-trunk - Bug #6873][Open] Failed to build ruby for NaCl i686 version — "ikeay (Ayaka Ikezawa)" <ikeay@...>

[#46051] [ruby-trunk - Feature #6875][Open] Make test/unit default gem — "kou (Kouhei Sutou)" <kou@...>

[#46053] [ruby-trunk - Bug #6881][Assigned] 2 Failures in test/-ext-/test_printf.rb — "usa (Usaku NAKAMURA)" <usa@...>

[#46054] [ruby-trunk - Bug #6882][Assigned] parallel test crashes when unknown exception is occured in a test — "usa (Usaku NAKAMURA)" <usa@...>

[#46055] Fwd: 『RubyKaja』登録のお知らせ — SASADA Koichi <ko1@...>

[#46061] [ruby-trunk - Bug #6898][Open] lambda周辺でSegmentation fault — uy (西行寺 うゆ) <redmine@...>

[#46064] [ruby-trunk - Bug #6900][Open] execinfo ライブラリ（およびそのヘッダ）の探索に --with-opt-dir の指定が利かない — "metanest (Makoto Kishimoto)" <redmine@...>

[#46065] [ruby-trunk - Bug #6901][Assigned] SEGV with tail call optimization — "shugo (Shugo Maeda)" <redmine@...>

[#46067] [ruby-trunk - Bug #6904][Assigned] make -j all fails (sometimes) — "shyouhei (Shyouhei Urabe)" <shyouhei@...>

[#46073] [ruby-trunk - Bug #2402][Open] super in instance_eval — "shugo (Shugo Maeda)" <redmine@...>

[#46074] [ruby-trunk - Bug #6911][Open] Sync_m#sync_unlock で ThreadError が発生する場合がある — "mrkn (Kenta Murata)" <muraken@...>

[#46077] [ruby-trunk - Bug #6927][Open] 日本語ドキュメントにおける Math.#atan2 について — "n.arita (Naoki Arita)" <ToNaokiArita@...>

[#46081] [ruby-trunk - Feature #6936][Assigned] Forbid singleton class and instance variabls for float — "naruse (Yui NARUSE)" <naruse@...>

[#46097] [ruby-trunk - Bug #6956][Assigned] cannot build with nmake — "usa (Usaku NAKAMURA)" <usa@...>

[ruby-dev:46037] Re: [ruby-core:47138] [ruby-trunk - Bug #6861][Open] ERB::Util.escape_html is not escaping single quotes

Thread

In This Thread

[#46061] [ruby-trunk - Bug #6898][Open] lambda周辺でSegmentation fault — uy (西行寺うゆ) <redmine@...>