Issue #6620 has been updated by moxley (Moxley Stratton).


' is a valid entity for both XHML (http://www.w3.org/TR/xhtml1/dtds.html) and HTML5 (http://www.w3.org/TR/2011/WD-html5-20110525/syntax.html#attributes-0), and is supported by all mainstream browsers. It is a potential security risk not to escape the apostrophe character, because the apostrophe is a valid quote character for attribute values. For example:

name = "' href='javascript:doSomethingBad()"
"<a title='This links to #{CGI.escapeHTML(name)}' href='/foo'>Foo</a>"

The above creates a link to "javascript:doSomethingBad()", not "/foo". At the very least, the apostrophe should be escaped to its numeric entity, &#39; because it is part of HTML syntax.
----------------------------------------
Feature #6620: Add &apos; to CGI's HTML escaping
https://bugs.ruby-lang.org/issues/6620#change-27882

Author: drbrain (Eric Hodel)
Status: Rejected
Priority: Normal
Assignee: xibbar (Takeyuki Fujioka)
Category: lib
Target version: 2.0.0


From https://github.com/ruby/ruby/pull/52

Patch by Igor Sales: https://github.com/ruby/ruby/pull/52.diff


-- 
http://bugs.ruby-lang.org/