Issue #5485 has been updated by shugo (Shugo Maeda).

Status changed from Assigned to Closed
Assignee changed from seki (Masatoshi Seki) to shugo (Shugo Maeda)

fixed in r36687.
----------------------------------------
Bug #5485: ERB html_escape should follow OWASP recommendations
https://bugs.ruby-lang.org/issues/5485#change-28845

Author: tenderlovemaking (Aaron Patterson)
Status: Closed
Priority: Normal
Assignee: shugo (Shugo Maeda)
Category: 
Target version: 
ruby -v: ruby 2.0.0dev (2011-10-25 trunk 33524) [x86_64-darwin11.2.0]


Hi,

OWASP recommends that we escape single quotes and forward slashes before inserting them in to HTML.  I would like to change ERB::Util.html_escape to do that.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

I've attached a patch.  Thanks!


-- 
http://bugs.ruby-lang.org/