&#39 dates back to SGML when &#x27 was introduced in HTML 4.0

3 files changed, 4 insertions, 2 deletions

diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
index 47280c3dc8..3914f4dc4c 100644
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -1,5 +1,7 @@
 ## Rails 4.0.0 (unreleased) ##
 
+*   `ERB::Util.html_escape` encodes single quote as `#39`. Decimal form has better support in old browsers. *Kalys Osmonov*
+
 *   `ActiveSupport::Callbacks`: deprecate monkey patch of object callbacks.
     Using the #filter method like this:
 
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index dad4b29d46..999b715981 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -3,7 +3,7 @@ require 'active_support/core_ext/kernel/singleton_class'
 
 class ERB
   module Util
-    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
+    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#39;' }
     JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
     HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/
     JSON_ESCAPE_REGEXP = /[&"><]/
diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
index dc5ae0eafc..6720ed42f0 100644
--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
@@ -500,7 +500,7 @@ class OutputSafetyTest < ActiveSupport::TestCase
 
   test "ERB::Util.html_escape should escape unsafe characters" do
     string = '<>&"\''
-    expected = '&lt;&gt;&amp;&quot;&#x27;'
+    expected = '&lt;&gt;&amp;&quot;&#39;'
     assert_equal expected, ERB::Util.html_escape(string)
   end