From: "xibbar (Takeyuki Fujioka)" <xibbar@...>
Date: 2012-08-10T11:01:19+09:00
Subject: [ruby-core:47099] [ruby-trunk - Bug #6850] It's not recommended to escape ' to &apos;


Issue #6850 has been updated by xibbar (Takeyuki Fujioka).

Assignee set to xibbar (Takeyuki Fujioka)


----------------------------------------
Bug #6850: It's not recommended to escape ' to &apos;
https://bugs.ruby-lang.org/issues/6850#change-28751

Author: spastorino (Santiago Pastorino)
Status: Open
Priority: Normal
Assignee: xibbar (Takeyuki Fujioka)
Category: 
Target version: 2.0.0
ruby -v: 2.0.0dev


OWASP doesn't recommend it https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
and ' is not a valid in HTML4 http://www.w3.org/TR/html4/sgml/entities.html

I've made a Pull Request on github too https://github.com/ruby/ruby/pull/154


-- 
http://bugs.ruby-lang.org/