html_escape does not escape single quote #7215

Closed
ghost opened this Issue Jul 31, 2012 · 2 comments

Comments

Projects
None yet
1 participant
@ghost

ghost commented Jul 31, 2012

Hello,

I've noticed today that the html_escape function does not encode single quote contrary to OWASP recommendations.

It raised some security problems in my web application and thus I think it would be better to escape single quote by default. Have I missed something ?

Owner

rafaelfranca commented Jul 31, 2012

Please post this kind of issues following these instructions.

http://rubyonrails.org/security

@ghost

ghost commented Jul 31, 2012

Ok thanks.

spastorino added a commit that referenced this issue Aug 2, 2012

html_escape should escape single quotes
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/form_tag_helper_test.rb
	actionpack/test/template/text_helper_test.rb
	actionpack/test/template/url_helper_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb

spastorino added a commit that referenced this issue Aug 2, 2012

html_escape should escape single quotes
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/form_tag_helper_test.rb
	actionpack/test/template/text_helper_test.rb
	actionpack/test/template/url_helper_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb

spastorino added a commit that referenced this issue Aug 8, 2012

html_escape should escape single quotes
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/controller/new_base/render_template_test.rb
	actionpack/test/template/asset_tag_helper_test.rb
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/javascript_helper_test.rb
	actionpack/test/template/template_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb
	activesupport/test/core_ext/string_ext_test.rb
	railties/test/application/assets_test.rb

tenderlove added a commit that referenced this issue Jan 24, 2013

Squashed commit of the following:
commit 9ef905f
Author: Rafael Mendonça França <rafaelmfranca@gmail.com>
Date:   Tue Aug 7 22:38:40 2012 -0300

    Fix tests about single quote escaping

commit 780a718
Author: Santiago Pastorino <santiago@wyeworks.com>
Date:   Tue Jul 31 22:25:54 2012 -0300

    html_escape should escape single quotes

    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
    Closes #7215

    Conflicts:
    	actionpack/test/controller/new_base/render_template_test.rb
    	actionpack/test/template/asset_tag_helper_test.rb
    	actionpack/test/template/erb_util_test.rb
    	actionpack/test/template/javascript_helper_test.rb
    	actionpack/test/template/template_test.rb
    	activesupport/lib/active_support/core_ext/string/output_safety.rb
    	activesupport/test/core_ext/string_ext_test.rb
    	railties/test/application/assets_test.rb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment