Bug #5485: ERB html_escape should follow OWASP recommendations - Ruby master - Ruby Issue Tracking System

Actions

Copy link

Bug #5485

closed

ERB html_escape should follow OWASP recommendations

Added by tenderlovemaking (Aaron Patterson) about 13 years ago. Updated over 12 years ago.

Status:

Closed

Assignee:

shugo (Shugo Maeda)

Target version:

ruby -v:

ruby 2.0.0dev (2011-10-25 trunk 33524) [x86_64-darwin11.2.0]

Backport:

[ruby-core:40366]

Description

Hi,

OWASP recommends that we escape single quotes and forward slashes before inserting them in to HTML. I would like to change ERB::Util.html_escape to do that.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

I've attached a patch. Thanks!

Files

owasp.patch (1.09 KB) owasp.patch

owasp escaping rules

tenderlovemaking (Aaron Patterson), 10/26/2011 02:41 AM

Related issues 3 (0 open — 3 closed)

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Like0

Like0Like0

Related to Ruby master - Bug #6861: ERB::Util.escape_html is not escaping single quotes	Closed	shugo (Shugo Maeda)	08/13/2012	Actions
Related to Ruby master - Feature #6620: Add ' to CGI's HTML escaping	Closed	xibbar (Takeyuki FUJIOKA)	06/22/2012	Actions
Related to Ruby master - Bug #6850: It's not recommended to escape ' to '	Closed	xibbar (Takeyuki FUJIOKA)	08/10/2012	Actions

Project

General

Profile

Ruby » Ruby master

Custom queries

Bug #5485

ERB html_escape should follow OWASP recommendations

Updated by shyouhei (Shyouhei Urabe) almost 13 years ago

Updated by shugo (Shugo Maeda) over 12 years ago