Reputation: 1650
CGI::escapeHTML is escaping single quote
I recently upgraded my Ruby 1.9.3 to 2.0.0 and had a surprise ; CGI::escapeHTML is now escaping single quote, meaning:
CGI::escapeHTML("'")
=> "'"
The wierdest thing is that, when going to definition of escapeHTML, everything seems fine, and copying the definition of the method give the right result (it doesn't escape single quote)
Does anyone have a clue about this?
Thanks,
Upvotes: 7
Views: 2653
Answers (2)
Reputation: 1924
I didn't want the new behaviour. That I was using CGI::Escape is perhaps wrong, but I had no time to figure out why or rework it. I just wanted the old behaviour back.
I ended up taking the ' character out while I call CGI::Escape:
def escapeHTML(title)
char = "\u00A9"
target_title = title.gsub("'", char)
target_title = CGI.escapeHTML(target_title)
target_title = target_title.gsub(char, "'")
return target_title
end
Find a char you know won't appear in your input!
Upvotes: 0
Reputation: 13574
Actually, it does what is defined in the 2.0 source. But you are right, the implementation changed from 1.9.3 to 2.0.
def CGI::escapeHTML(string)
string.gsub(/[&\"<>]/, TABLE_FOR_ESCAPE_HTML__)
end
def CGI::escapeHTML(string)
string.gsub(/['&\"<>]/, TABLE_FOR_ESCAPE_HTML__)
end
Why have they changed it?
It was done in this commit because (according to bug #5485) the OWASP recommends to escape single quotes before inserting them in to HTML. So it's a security thing.
Upvotes: 9
Related Questions
- Rails Tutorial: Reason for CGI.escapeHTML in Chapter 12 Exercise 2
- How to encode symbols using CGI::escape
- Don't escape html in ruby on rails
- How can escape HTML tag in my parameter list using CGI::escapeHTML in Rails
- Incompleteness of `CGI.unescapeHTML`
- Rails double quotes always escaped
- Rails HTML escaping
- Strange behavior with html_escape
- HTML escaped in Rails 3
- Escaping HTML to JSON with Rails 3