From: "moxley (Moxley Stratton)" <moxley.stratton@...>
Date: 2012-07-09T13:26:06+09:00
Subject: [ruby-core:46260] [ruby-trunk - Feature #6620] Add &apos; to CGI's HTML escaping


Issue #6620 has been updated by moxley (Moxley Stratton).


&apos; is a valid entity for both XHML (http://www.w3.org/TR/xhtml1/dtds.html) and HTML5 (http://www.w3.org/TR/2011/WD-html5-20110525/syntax.html#attributes-0), and is supported by all mainstream browsers. It is a potential security risk not to escape the apostrophe character, because the apostrophe is a valid quote character for attribute values. For example:

name = "' href='javascript:doSomethingBad()"
"<a title='This links to #{CGI.escapeHTML(name)}' href='/https/blade.ruby-lang.org/foo'>Foo</a>"

The above creates a link to "javascript:doSomethingBad()", not "/foo". At the very least, the apostrophe should be escaped to its numeric entity, &#39; because it is part of HTML syntax.
----------------------------------------
Feature #6620: Add &apos; to CGI's HTML escaping
https://bugs.ruby-lang.org/issues/6620#change-27882

Author: drbrain (Eric Hodel)
Status: Rejected
Priority: Normal
Assignee: xibbar (Takeyuki Fujioka)
Category: lib
Target version: 2.0.0


From https://github.com/ruby/ruby/pull/52

Patch by Igor Sales: https://github.com/ruby/ruby/pull/52.diff


-- 
http://bugs.ruby-lang.org/