Issue #6861 has been updated by shugo (Shugo Maeda).


Aaron Patterson wrote:
>  > I and SEKI have discussed it, and have agreed to use cgi/util.
>  > CGI.escapeHTML has a problem that is uses ' instead of ', but
>  > xibbar will fix it later.
>  
>  Shouldn't CGI use ERB?  It seems like ERB's use is for creating HTML,
>  where CGI is in charge of providing the common gateway interface.

I admit that the name CGI is wrong.  However, despite its name, CGI provides various features for Web applications.  For example, cgi/html.rb provides features to generate HTML, and cgi/util.rb provides utility methods such as HTML.

>  ERB concerns itself with templating and should have knowledge of
>  template formats / escaping.  It seems CGI would not.

HTML templating is the most common use case of ERB, but ERB is originally independent from HTML.  For example, it can be used to embed Ruby code into TeX files.
Furthermore, ERB is provided as a single large file, and it's not a good idea to make CGI to depend the whole ERB.


----------------------------------------
Bug #6861: ERB::Util.escape_html is not escaping single quotes
https://bugs.ruby-lang.org/issues/6861#change-28848

Author: spastorino (Santiago Pastorino)
Status: Closed
Priority: Normal
Assignee: shugo (Shugo Maeda)
Category: 
Target version: 
ruby -v: 2.0.0dev


We just fixed this issue in Rails
https://groups.google.com/forum/#!msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J%5B1-25%5D

Ruby's ERB is not escaping single quotes and this could lead to
security issues like ...

<a href='<%= h link %>' >My Link!</a>
being link = " '; alert(hax) "

OWASP suggest escaping &, <, >, ", ' and /
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

About / I don't think could lead to issues but that's another story.

You have the right code in CGI.escapeHTML
https://github.com/ruby/ruby/blob/c47cca2f/lib/cgi/util.rb#L36 so my
suggestion is to reuse CGI.escapeHTML from ERB::Util

I've sent a pull request https://github.com/ruby/ruby/pull/156


-- 
http://bugs.ruby-lang.org/