Bug #5485: ERB html_escape should follow OWASP recommendations - Ruby - Ruby Issue Tracking System

Actions

Copy link

Like0

Bug #5485

closed

ERB html_escape should follow OWASP recommendations

Added by tenderlovemaking (Aaron Patterson) over 13 years ago. Updated over 12 years ago.

Status:

Closed

Assignee:

shugo (Shugo Maeda)

Target version:

ruby -v:

ruby 2.0.0dev (2011-10-25 trunk 33524) [x86_64-darwin11.2.0]

Backport:

[ruby-core:40366]

Description

Hi,

OWASP recommends that we escape single quotes and forward slashes before inserting them in to HTML. I would like to change ERB::Util.html_escape to do that.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

I've attached a patch. Thanks!

Files

owasp.patch (1.09 KB) owasp.patch

owasp escaping rules

tenderlovemaking (Aaron Patterson), 10/26/2011 02:41 AM

Related issues 3 (0 open — 3 closed)

Like0Actions

Copy link

#2 [ruby-core:47166]

Updated by shugo (Shugo Maeda) over 12 years ago

Status changed from Assigned to Closed
Assignee changed from seki (Masatoshi Seki) to shugo (Shugo Maeda)

fixed in r36687.

Actions

Copy link

Like0

Also available in: Atom PDF

Related to Ruby - Bug #6861: ERB::Util.escape_html is not escaping single quotes	Closed	shugo (Shugo Maeda)	08/13/2012	Actions
Related to Ruby - Feature #6620: Add ' to CGI's HTML escaping	Closed	xibbar (Takeyuki FUJIOKA)	06/22/2012	Actions
Related to Ruby - Bug #6850: It's not recommended to escape ' to '	Closed	xibbar (Takeyuki FUJIOKA)	08/10/2012	Actions

Project

General

Custom queries

Profile

Ruby

Bug #5485

ERB html_escape should follow OWASP recommendations

Updated by shyouhei (Shyouhei Urabe) about 13 years ago

Updated by shugo (Shugo Maeda) over 12 years ago