Merge pull request #275 from pk-amooma/master

properly escape "'" to "'" for XML

2 files changed, 14 insertions, 2 deletions

diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index c27cbc37c5..6f410819ba 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -3,7 +3,7 @@ require 'active_support/core_ext/kernel/singleton_class'
 
 class ERB
   module Util
-    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;' }
+    XML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;', "'" => '&apos;' }
     JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
 
     # A utility method for escaping HTML tag characters.
@@ -20,7 +20,7 @@ class ERB
       if s.html_safe?
         s
       else
-        s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
+        s.gsub(/[&"'><]/) { |special| XML_ESCAPE[special] }.html_safe
       end
     end
 
diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
index 32675c884a..54ef68c59b 100644
--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
@@ -387,6 +387,18 @@ class OutputSafetyTest < ActiveSupport::TestCase
     assert !@other_combination.html_safe?
   end
 
+  test "Escapes special HTML/XML characters" do
+    @other_string = "other".html_safe
+    @combination = @other_string + "<foo>&\"'"
+    @other_combination = @string + "<foo>&\"'"
+
+    assert_equal "other&lt;foo&gt;&amp;&quot;&apos;", @combination
+    assert_equal "hello<foo>&\"'", @other_combination
+
+    assert @combination.html_safe?
+    assert !@other_combination.html_safe?
+  end
+
   test "Concatting safe onto unsafe yields unsafe" do
     @other_string = "other"