Project

General

Profile

Actions

Bug #5485

closed

ERB html_escape should follow OWASP recommendations

Added by tenderlovemaking (Aaron Patterson) over 12 years ago. Updated over 11 years ago.

Status:
Closed
Target version:
-
ruby -v:
ruby 2.0.0dev (2011-10-25 trunk 33524) [x86_64-darwin11.2.0]
Backport:
[ruby-core:40366]

Description

Hi,

OWASP recommends that we escape single quotes and forward slashes before inserting them in to HTML. I would like to change ERB::Util.html_escape to do that.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

I've attached a patch. Thanks!


Files

owasp.patch (1.09 KB) owasp.patch owasp escaping rules tenderlovemaking (Aaron Patterson), 10/26/2011 02:41 AM

Related issues 3 (0 open3 closed)

Related to Ruby master - Bug #6861: ERB::Util.escape_html is not escaping single quotesClosedshugo (Shugo Maeda)08/13/2012Actions
Related to Ruby master - Feature #6620: Add ' to CGI's HTML escapingClosedxibbar (Takeyuki FUJIOKA)06/22/2012Actions
Related to Ruby master - Bug #6850: It's not recommended to escape ' to 'Closedxibbar (Takeyuki FUJIOKA)08/10/2012Actions
Actions #1

Updated by shyouhei (Shyouhei Urabe) about 12 years ago

  • Status changed from Open to Assigned

Updated by shugo (Shugo Maeda) over 11 years ago

  • Status changed from Assigned to Closed
  • Assignee changed from seki (Masatoshi Seki) to shugo (Shugo Maeda)

fixed in r36687.

Actions

Also available in: Atom PDF

Like0
Like0Like0