Project

General

Profile

Bug #5485

ERB html_escape should follow OWASP recommendations

Added by tenderlovemaking (Aaron Patterson) over 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Target version:
-
ruby -v:
ruby 2.0.0dev (2011-10-25 trunk 33524) [x86_64-darwin11.2.0]
Backport:
[ruby-core:40366]

Description

Hi,

OWASP recommends that we escape single quotes and forward slashes before inserting them in to HTML. I would like to change ERB::Util.html_escape to do that.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

I've attached a patch. Thanks!


Files

owasp.patch (1.09 KB) owasp.patch owasp escaping rules tenderlovemaking (Aaron Patterson), 10/26/2011 02:41 AM

Related issues

Related to Ruby trunk - Bug #6861: ERB::Util.escape_html is not escaping single quotesClosed08/13/2012Actions
Related to Ruby trunk - Feature #6620: Add ' to CGI's HTML escapingClosed06/22/2012Actions
Related to Ruby trunk - Bug #6850: It's not recommended to escape ' to 'Closed08/10/2012Actions

History

#1

Updated by shyouhei (Shyouhei Urabe) over 7 years ago

  • Status changed from Open to Assigned

Updated by shugo (Shugo Maeda) almost 7 years ago

  • Status changed from Assigned to Closed
  • Assignee changed from seki (Masatoshi Seki) to shugo (Shugo Maeda)

fixed in r36687.

Also available in: Atom PDF