html_escape should escape single quotes

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215
author: Santiago Pastorino <santiago@wyeworks.com> 2012-07-31 22:25:54 -0300
committer: Santiago Pastorino <santiago@wyeworks.com> 2012-07-31 22:26:52 -0300
commit: b6ab4417720e03f1551abda2f1e4bd0a392dd04e (patch)
tree: 26546831441178c40782e3357e1a6961ef4f899c /activesupport/test/core_ext/string_ext_test.rb
parent: c10202208982bfa02ffd16d1614992228391d781 (diff)
download: rails-b6ab4417720e03f1551abda2f1e4bd0a392dd04e.tar.gz
rails-b6ab4417720e03f1551abda2f1e4bd0a392dd04e.tar.bz2
rails-b6ab4417720e03f1551abda2f1e4bd0a392dd04e.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
index e5b774425e..3b08ebe35f 100644
--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
@@ -498,8 +498,8 @@ class OutputSafetyTest < ActiveSupport::TestCase
   end
 
   test "ERB::Util.html_escape should escape unsafe characters" do
-    string = '<>&"'
-    expected = '&lt;&gt;&amp;&quot;'
+    string = '<>&"\''
+    expected = '&lt;&gt;&amp;&quot;&#x27;'
     assert_equal expected, ERB::Util.html_escape(string)
   end
author	Santiago Pastorino <santiago@wyeworks.com>	2012-07-31 22:25:54 -0300
committer	Santiago Pastorino <santiago@wyeworks.com>	2012-07-31 22:26:52 -0300
commit	b6ab4417720e03f1551abda2f1e4bd0a392dd04e (patch)
tree	26546831441178c40782e3357e1a6961ef4f899c /activesupport/test/core_ext/string_ext_test.rb
parent	c10202208982bfa02ffd16d1614992228391d781 (diff)
download	rails-b6ab4417720e03f1551abda2f1e4bd0a392dd04e.tar.gz rails-b6ab4417720e03f1551abda2f1e4bd0a392dd04e.tar.bz2 rails-b6ab4417720e03f1551abda2f1e4bd0a392dd04e.zip