Issue #6850 has been reported by spastorino (Santiago Pastorino).

----------------------------------------
Bug #6850: It's not recommended to escape ' to '
https://bugs.ruby-lang.org/issues/6850

Author: spastorino (Santiago Pastorino)
Status: Open
Priority: Normal
Assignee: 
Category: 
Target version: 2.0.0
ruby -v: 2.0.0dev


OWASP doesn't recommend it https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
and ' is not a valid in HTML4 http://www.w3.org/TR/html4/sgml/entities.html

I've made a Pull Request on github too https://github.com/ruby/ruby/pull/154


-- 
http://bugs.ruby-lang.org/