html_escape should escape single quotes

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215 Conflicts: actionpack/test/template/erb_util_test.rb actionpack/test/template/form_tag_helper_test.rb actionpack/test/template/text_helper_test.rb actionpack/test/template/url_helper_test.rb activesupport/lib/active_support/core_ext/string/output_safety.rb
author: Santiago Pastorino <santiago@wyeworks.com> 2012-07-31 22:25:54 -0300
committer: Santiago Pastorino <santiago@wyeworks.com> 2012-08-02 17:14:30 -0300
commit: 28f2c6f4037081da0a82104a3f473165ed4ed2ce (patch)
tree: a511eac32c29cf7f9612b6691ac15ac558c5bd77 /activesupport/lib
parent: 9c1b1bd42ce00d43b7894daaf096eff9ee55aef1 (diff)
download: rails-28f2c6f4037081da0a82104a3f473165ed4ed2ce.tar.gz
rails-28f2c6f4037081da0a82104a3f473165ed4ed2ce.tar.bz2
rails-28f2c6f4037081da0a82104a3f473165ed4ed2ce.zip
1 files changed, 16 insertions, 28 deletions
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index f5622224d2..c0bd821ea5 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -3,36 +3,24 @@ require 'active_support/core_ext/kernel/singleton_class'
 
 class ERB
   module Util
-    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;' }
+    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
     JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
 
-    # Detect whether 1.9 can transcode with XML escaping.
-    if '"&gt;&lt;&amp;&quot;"' == ('><&"'.encode('utf-8', :xml => :attr) rescue false)
-      # A utility method for escaping HTML tag characters.
-      # This method is also aliased as <tt>h</tt>.
-      #
-      # In your ERB templates, use this method to escape any unsafe content. For example:
-      #   <%=h @person.name %>
-      #
-      # ==== Example:
-      #   puts html_escape("is a > 0 & a < 10?")
-      #   # => is a &gt; 0 &amp; a &lt; 10?
-      def html_escape(s)
-        s = s.to_s
-        if s.html_safe?
-          s
-        else
-          s.encode(s.encoding, :xml => :attr)[1...-1].html_safe
-        end
-      end
-    else
-      def html_escape(s) #:nodoc:
-        s = s.to_s
-        if s.html_safe?
-          s
-        else
-          s.gsub(/[&"><]/n) { |special| HTML_ESCAPE[special] }.html_safe
-        end
+    # A utility method for escaping HTML tag characters.
+    # This method is also aliased as <tt>h</tt>.
+    #
+    # In your ERB templates, use this method to escape any unsafe content. For example:
+    #   <%=h @person.name %>
+    #
+    # ==== Example:
+    #   puts html_escape("is a > 0 & a < 10?")
+    #   # => is a &gt; 0 &amp; a &lt; 10?
+    def html_escape(s)
+      s = s.to_s
+      if s.html_safe?
+        s
+      else
+        s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
       end
     end
author	Santiago Pastorino <santiago@wyeworks.com>	2012-07-31 22:25:54 -0300
committer	Santiago Pastorino <santiago@wyeworks.com>	2012-08-02 17:14:30 -0300
commit	28f2c6f4037081da0a82104a3f473165ed4ed2ce (patch)
tree	a511eac32c29cf7f9612b6691ac15ac558c5bd77 /activesupport/lib
parent	9c1b1bd42ce00d43b7894daaf096eff9ee55aef1 (diff)
download	rails-28f2c6f4037081da0a82104a3f473165ed4ed2ce.tar.gz rails-28f2c6f4037081da0a82104a3f473165ed4ed2ce.tar.bz2 rails-28f2c6f4037081da0a82104a3f473165ed4ed2ce.zip