Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

html_escape does not escape single quote #7215

Closed
ghost opened this issue Jul 31, 2012 · 2 comments
Closed

html_escape does not escape single quote #7215

ghost opened this issue Jul 31, 2012 · 2 comments

Comments

@ghost
Copy link

ghost commented Jul 31, 2012

Hello,

I've noticed today that the html_escape function does not encode single quote contrary to OWASP recommendations.

It raised some security problems in my web application and thus I think it would be better to escape single quote by default. Have I missed something ?
@rafaelfranca
Copy link
Member

Please post this kind of issues following these instructions.

http://rubyonrails.org/security

@ghost
Copy link
Author

ghost commented Jul 31, 2012

Ok thanks.

spastorino added a commit that referenced this issue Aug 1, 2012
@spastorino
html_escape should escape single quotes
b6ab441 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
spastorino added a commit that referenced this issue Aug 2, 2012
@spastorino @rafaelfranca
html_escape should escape single quotes
2bdb4ec 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/form_tag_helper_test.rb
	actionpack/test/template/text_helper_test.rb
	actionpack/test/template/url_helper_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb
spastorino added a commit that referenced this issue Aug 2, 2012
@spastorino
html_escape should escape single quotes
28f2c6f 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/form_tag_helper_test.rb
	actionpack/test/template/text_helper_test.rb
	actionpack/test/template/url_helper_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb
spastorino added a commit that referenced this issue Aug 7, 2012
@spastorino
html_escape should escape single quotes
d0c9759 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
spastorino added a commit that referenced this issue Aug 8, 2012
@spastorino @tenderlove
html_escape should escape single quotes
780a718 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/controller/new_base/render_template_test.rb
	actionpack/test/template/asset_tag_helper_test.rb
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/javascript_helper_test.rb
	actionpack/test/template/template_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb
	activesupport/test/core_ext/string_ext_test.rb
	railties/test/application/assets_test.rb
@betelgeuse betelgeuse mentioned this issue Aug 10, 2012
Closed
tenderlove added a commit that referenced this issue Jan 24, 2013
@tenderlove
Squashed commit of the following:
d549df7 
commit 9ef905f
Author: Rafael Mendonça França <rafaelmfranca@gmail.com>
Date:   Tue Aug 7 22:38:40 2012 -0300

    Fix tests about single quote escaping

commit 780a718
Author: Santiago Pastorino <santiago@wyeworks.com>
Date:   Tue Jul 31 22:25:54 2012 -0300

    html_escape should escape single quotes

    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
    Closes #7215

    Conflicts:
    	actionpack/test/controller/new_base/render_template_test.rb
    	actionpack/test/template/asset_tag_helper_test.rb
    	actionpack/test/template/erb_util_test.rb
    	actionpack/test/template/javascript_helper_test.rb
    	actionpack/test/template/template_test.rb
    	activesupport/lib/active_support/core_ext/string/output_safety.rb
    	activesupport/test/core_ext/string_ext_test.rb
    	railties/test/application/assets_test.rb
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 25, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
53a449c 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 25, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
2cbb9e4 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 25, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
6e65eb5 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 25, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
cf542fb 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 25, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
f314b48 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 25, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
7d085eb 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 25, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
ae7d78e 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 25, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
ce9bd45 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 29, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
f06603f 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 29, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
593433f 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 29, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
ff1d832 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 29, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
d9c9db2 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 29, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
ac69b64 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 29, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
da90a25 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 29, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
ffec551 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
Tho85 pushed a commit to Tho85/rails that referenced this issue Mar 29, 2013
@spastorino
[CVE-2012-3464] html_escape should escape single quotes
05d07bd 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes rails#7215
@tdunlap607 tdunlap607 mentioned this issue Apr 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rafaelfranca