HTML.escape - Switch to Rack::Utils.escape_html behavior by default. …

…Escapes '&', '"', '\'', '/', '<' and '>' chars only.

XSS escaping still available as a XSS option.

Short escaping like Ruby one now available as a Short option.

Fixes #3233, refs #2175.

spec/std/html_spec.cr

@@ -15,14 +15,26 @@ describe "HTML" do
       str.should eq("< & >")
     end
 
+    it "escapes as documented in default mode" do
+      str = HTML.escape("Crystal & You")
+
+      str.should eq("Crystal & You")
+    end
+
+    it "escapes as documented in XSS mode" do
+      str = HTML.escape("Crystal = Me", HTML::EscapeMode::XSS)
+
+      str.should eq("Crystal = Me")
+    end
+
     it "escapes javascript example from a string" do
-      str = HTML.escape("<script>alert('You are being hacked')</script>")
+      str = HTML.escape("<script>alert('You are being hacked')</script>", HTML::EscapeMode::XSS)
 
-      str.should eq("&lt;script&gt;alert&#40;&#39;You are being hacked&#39;&#41;&lt;/script&gt;")
+      str.should eq("&lt;script&gt;alert&#40;&#39;You are being hacked&#39;&#41;&lt;&#2F;script&gt;")
     end
 
     it "escapes nonbreakable space but not normal space" do
-      str = HTML.escape("nbsp space ")
+      str = HTML.escape("nbsp space ", HTML::EscapeMode::XSS)
 
       str.should eq("nbsp&nbsp;space ")
     end

src/html.cr

@@ -1,11 +1,41 @@
 # Handles encoding and decoding of HTML entities.
 module HTML
-  SUBSTITUTIONS = {
+  # `HTML.escape` escaping mode.
+  enum EscapeMode
+    # Escapes '&', '"', '\'', '/', '<' and '>' chars.
+    Default,
+    # Escapes '&', '"', '<' and '>' chars.
+    Short,
+    # Escapes a lot of chars according to XSS.
+    XSS,
+  end
+
+  # Simular to Ruby CGI::escapeHTML.
+  SHORT_ESCAPE = {
+    '&' => "&amp;",
+    '"' => "&quot;",
+    '<' => "&lt;",
+    '>' => "&gt;",
+  }
+
+  # Simular to Rack::Utils.escape_html. Most used one.
+  DEFAULT_ESCAPE = {
+    '&'  => "&amp;",
+    '"'  => "&quot;",
+    '<'  => "&lt;",
+    '>'  => "&gt;",
+    '\'' => "&#27;",
+    '/'  => "&#2F;",
+  }
+
+  # XSS escaping set.
+  XSS_ESCAPE = {
     '!'      => "&#33;",
     '"'      => "&quot;",
     '$'      => "&#36;",
     '%'      => "&#37;",
     '&'      => "&amp;",
+    '/'      => "&#2F;",
     '\''     => "&#39;",
     '('      => "&#40;",
     ')'      => "&#41;",
@@ -28,9 +58,17 @@ module HTML
   # require "html"
   #
   # HTML.escape("Crystal & You") # => "Crystal &amp; You"
+  #
+  # HTML.escape("Crystal = Me", HTML::EscapeMode::Extended) # => "Crystal &#61; Me"
   # ```
-  def self.escape(string : String) : String
-    string.gsub(SUBSTITUTIONS)
+  def self.escape(string : String, mode : EscapeMode = EscapeMode::Default) : String
+    subst = case mode
+            when EscapeMode::Default then DEFAULT_ESCAPE
+            when EscapeMode::Short   then SHORT_ESCAPE
+            when EscapeMode::XSS     then XSS_ESCAPE
+            else                          DEFAULT_ESCAPE
+            end
+    string.gsub(subst)
   end
 
   # Encodes a string to HTML, but writes to the `IO` instance provided.
@@ -40,9 +78,15 @@ module HTML
   # HTML.escape("Crystal & You", io) # => nil
   # io.to_s                          # => "Crystal &amp; You"
   # ```
-  def self.escape(string : String, io : IO)
+  def self.escape(string : String, io : IO, mode : EscapeMode = EscapeMode::Default)
+    subst = case mode
+            when EscapeMode::Default then DEFAULT_ESCAPE
+            when EscapeMode::Short   then SHORT_ESCAPE
+            when EscapeMode::XSS     then XSS_ESCAPE
+            else                          DEFAULT_ESCAPE
+            end
     string.each_char do |char|
-      io << SUBSTITUTIONS.fetch(char, char)
+      io << subst.fetch(char, char)
     end
   end