Actions
Bug #6850
closedIt's not recommended to escape ' to '
Description
OWASP doesn't recommend it https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
and ' is not a valid in HTML4 http://www.w3.org/TR/html4/sgml/entities.html
I've made a Pull Request on github too https://github.com/ruby/ruby/pull/154
Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago
- Assignee set to xibbar (Takeyuki FUJIOKA)
Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago
- Status changed from Open to Assigned
Updated by spastorino (Santiago Pastorino) over 12 years ago
I've just updated the pull request to take in consideration https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/36687
Updated by xibbar (Takeyuki FUJIOKA) over 12 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
This issue was solved with changeset r36692.
Santiago, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.
Tue Aug 14 11:55:37 2012 Takeyuki FUJIOKA xibbar@ruby-lang.org
- lib/cgi/util.rb (CGI::escapeHTML): ' is not recommended. [Bug #6850]
Actions
Like0
Like0Like0Like0Like0