--BXVAT5kNtrzKuDFl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Aug 13, 2012 at 01:11:45PM +0900, shugo (Shugo Maeda) wrote:
>=20
> Issue #6861 has been updated by shugo (Shugo Maeda).
>=20
> Assignee set to shugo (Shugo Maeda)
>=20
> Hello,
>=20
> Thanks for your report.
>=20
> spastorino (Santiago Pastorino) wrote:
> > OWASP suggest escaping &, <, >, ", ' and /
> > https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Preventi=
on_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into=
_HTML_Element_Content
> >=20
> > About / I don't think could lead to issues but that's another story.
>=20
> Agreed.
>=20
> > You have the right code in CGI.escapeHTML
> > https://github.com/ruby/ruby/blob/c47cca2f/lib/cgi/util.rb#L36 so my
> > suggestion is to reuse CGI.escapeHTML from ERB::Util
>=20
> I and SEKI have discussed it, and have agreed to use cgi/util.
> CGI.escapeHTML has a problem that is uses &apos; instead of &#x27;, but
> xibbar will fix it later.

Shouldn't CGI use ERB?  It seems like ERB's use is for creating HTML,
where CGI is in charge of providing the common gateway interface.

ERB concerns itself with templating and should have knowledge of
template formats / escaping.  It seems CGI would not.

--=20
Aaron Patterson
http://tenderlovemaking.com/

--BXVAT5kNtrzKuDFl
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)

iQEcBAEBAgAGBQJQKRb5AAoJEJUxcLy0/6/GW3YH/RBFcGHOGydDKVWmz3gHsTEA
gclpChXxUJOYAiLpk+gJDQ2/s7J1DTfe64vX1u/hPmB/5qXs6BViX/yOK1lK3qg0
wnO/BhjjvWn7MP+xntH6rKQXU265MI5uEts1yXu++pLP+P88s7jdbXiPsYneuSZq
VQMnQ21q7Fjykw5BJBGXh9HXaFerIvgZEDN4MruTAgv9W8Fq/E58pMGeHjcpDdvE
axqv35B10cSRqWSufxz0GLDB4xJ+MkqFP8Mu/TrfQwTFLPJIyd9uO+sypk8jif9A
nkT5Y1DlSPKEvuPdOaHFMDDrK6IM96bI4rYHMOq+FT6a4ZLyyl6pRQAIpr76Weg=
=Zrb3
-----END PGP SIGNATURE-----

--BXVAT5kNtrzKuDFl--

On Mon, Aug 13, 2012 at 01:11:45PM +0900, shugo (Shugo Maeda) wrote:
>=20
> Issue #6861 has been updated by shugo (Shugo Maeda).
>=20
> Assignee set to shugo (Shugo Maeda)
>=20
> Hello,
>=20
> Thanks for your report.
>=20
> spastorino (Santiago Pastorino) wrote:
> > OWASP suggest escaping &, <, >, ", ' and /
> > https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Preventi=
on_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into=
_HTML_Element_Content
> >=20
> > About / I don't think could lead to issues but that's another story.
>=20
> Agreed.
>=20
> > You have the right code in CGI.escapeHTML
> > https://github.com/ruby/ruby/blob/c47cca2f/lib/cgi/util.rb#L36 so my
> > suggestion is to reuse CGI.escapeHTML from ERB::Util
>=20
> I and SEKI have discussed it, and have agreed to use cgi/util.
> CGI.escapeHTML has a problem that is uses &apos; instead of &#x27;, but
> xibbar will fix it later.

Shouldn't CGI use ERB?  It seems like ERB's use is for creating HTML,
where CGI is in charge of providing the common gateway interface.

ERB concerns itself with templating and should have knowledge of
template formats / escaping.  It seems CGI would not.

--=20
Aaron Patterson
http://tenderlovemaking.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)

iQEcBAEBAgAGBQJQKRb5AAoJEJUxcLy0/6/GW3YH/RBFcGHOGydDKVWmz3gHsTEA
gclpChXxUJOYAiLpk+gJDQ2/s7J1DTfe64vX1u/hPmB/5qXs6BViX/yOK1lK3qg0
wnO/BhjjvWn7MP+xntH6rKQXU265MI5uEts1yXu++pLP+P88s7jdbXiPsYneuSZq
VQMnQ21q7Fjykw5BJBGXh9HXaFerIvgZEDN4MruTAgv9W8Fq/E58pMGeHjcpDdvE
axqv35B10cSRqWSufxz0GLDB4xJ+MkqFP8Mu/TrfQwTFLPJIyd9uO+sypk8jif9A
nkT5Y1DlSPKEvuPdOaHFMDDrK6IM96bI4rYHMOq+FT6a4ZLyyl6pRQAIpr76Weg=
=Zrb3
-----END PGP SIGNATURE-----