From 4cd8a2b982594b428bfe2bcd386e712107b1ffa9 Mon Sep 17 00:00:00 2001
From: Santiago Pastorino <santiago@wyeworks.com>
Date: Sun, 12 Aug 2012 13:14:34 -0300
Subject: [PATCH] Make ERB::Util.html_escape escape single quotes

ERB::Util.html_escape is not escaping single quotes and this is dangerous
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet\#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
---
 lib/erb.rb | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/erb.rb b/lib/erb.rb
index bb47943a868a0c..09623f07c21b4d 100644
--- a/lib/erb.rb
+++ b/lib/erb.rb
@@ -896,6 +896,16 @@ class ERB
   # A utility module for conversion routines, often handy in HTML generation.
   module Util
     public
+
+    # The set of special characters and their escaped values
+    TABLE_FOR_ESCAPE_HTML__ = {
+      "'" => '&#x27;',
+      '&' => '&amp;',
+      '"' => '&quot;',
+      '<' => '&lt;',
+      '>' => '&gt;',
+    }
+
     #
     # A utility method for escaping HTML tag characters in _s_.
     #
@@ -909,7 +919,7 @@ module Util
     #   is a &gt; 0 &amp; a &lt; 10?
     #
     def html_escape(s)
-      s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;")
+      s.to_s.gsub(/['&\"<>]/, TABLE_FOR_ESCAPE_HTML__)
     end
     alias h html_escape
     module_function :h