html_escape does not escape single quote

Hello,

I've noticed today that the [html_escape](https://github.com/rails/rails/blob/master/activesupport/lib/active_support/core_ext/string/output_safety.rb) function does not encode single quote contrary to [OWASP recommendations](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content).

It raised some security problems in my web application and thus I think it would be better to escape single quote by default.  Have I missed something ?


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

html_escape does not escape single quote #7215

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

html_escape does not escape single quote #7215

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions