Issue #5485 has been reported by Aaron Patterson.

----------------------------------------
Bug #5485: ERB html_escape should follow OWASP recommendations
http://redmine.ruby-lang.org/issues/5485

Author: Aaron Patterson
Status: Open
Priority: Normal
Assignee: Masatoshi Seki
Category: 
Target version: 
ruby -v: ruby 2.0.0dev (2011-10-25 trunk 33524) [x86_64-darwin11.2.0]


Hi,

OWASP recommends that we escape single quotes and forward slashes before inserting them in to HTML.  I would like to change ERB::Util.html_escape to do that.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

I've attached a patch.  Thanks!


-- 
http://redmine.ruby-lang.org