From 2bdb4ec6ad9bb99ac0029fcb030ac757307d08ae Mon Sep 17 00:00:00 2001
From: Santiago Pastorino <santiago@wyeworks.com>
Date: Tue, 31 Jul 2012 22:25:54 -0300
Subject: html_escape should escape single quotes

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/form_tag_helper_test.rb
	actionpack/test/template/text_helper_test.rb
	actionpack/test/template/url_helper_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb
---
 activesupport/test/core_ext/string_ext_test.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'activesupport/test/core_ext/string_ext_test.rb')

diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
index 47b9f68ed0..a8eca53ea7 100644
--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
@@ -493,8 +493,8 @@ class OutputSafetyTest < ActiveSupport::TestCase
   end
 
   test "ERB::Util.html_escape should escape unsafe characters" do
-    string = '<>&"'
-    expected = '&lt;&gt;&amp;&quot;'
+    string = '<>&"\''
+    expected = '&lt;&gt;&amp;&quot;&#x27;'
     assert_equal expected, ERB::Util.html_escape(string)
   end
 
-- 
cgit v1.2.3