bug HTML.escape

[kostya]

irb(main):001:0> require 'cgi'
=> true
irb(main):002:0> CGI.escapeHTML("?a=1&b=2")
=> "?a=1&b=2"

require "html"
p HTML.escape("?a=1&b=2")

"?a=1&b=2"

i don't may be this is correct, i just rewrite some specs for my project from ruby and find it failed

[kostya]

ruby uses this

  TABLE_FOR_ESCAPE_HTML__ = {
    "&" => "&",
    "\"" => """,
    "<" => "&lt;",
    ">" => "&gt;"
  }

[asterite]

They were originally those, until this happened: #2175

As with anything web-related, I don't know what's the correct answer, or which of the RFCs that apply to this case, if any, we should follow.

[rdp]

It definitely feels as if something is amiss, because I believe I should be able to do the following:

something.ecr

...

However with today's HTML.escape, if there are "=" in my_url, I'll end up with a URL like

...

which is "not the right url" and not received correctly by the host.

Django seems to differentiate "javascript escape" from HTML escapes FWIW. https://docs.djangoproject.com/en/1.10/_modules/django/utils/html/#escape

and from this link (of #2175)

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules

"rule #1" HTML escape:

 & --> &
 < --> &lt;
 > --> &gt;
 " --> &quot;
 ' --> &#x27;     &apos; not recommended because its not in the HTML spec (See: section 24.4.1) &apos; is in the XML and XHTML specs.
 / --> &#x2F;     forward slash is included as it helps end an HTML entity

which is quite a similar list, and it also then differentiates between that, attribute, and javascript escaping.

So sounds like there are a lot of different types of escapes actually in use today.

I'd be happy to hack up something to have three different escape methods if that would be useful. What this does mean though, however, is that the current escape mechanism "doesn't work" for (at least) escaping links today and requires local workarounds like this:
ysbaddaden/frost@896a74b

Thanks all.

[ysbaddaden]

Maybe a parameter, or a few methods to selectively encode few or many characters?

[0x1eef]

there's also Rack::Utils.escape_html. it uses a small hash table, similar to CGI.escape_html.

ESCAPE_HTML =
{
  "&" => "&",
  "<" => "&lt;",
  ">" => "&gt;",
  "'" => "&#x27;",
  '"' => "&quot;",
  "/" => "&#x2F;"
}

[rdp]

Yes, it seems that "normal" escape is those chars. If I knew what is the
"normal" way to do this in the std lib (multiple method names? params?) I'd
be happy to proceed :)

On Tue, Nov 1, 2016 at 3:19 AM, jazzonmymind [email protected]
wrote:

there's also Rack::Utils.escape_html
http://www.rubydoc.info/github/rack/rack/Rack%2FUtils.escape_html. it
uses a small hash table, similar to CGI.escape_html.

ESCAPE_HTML =
{
"&" => "&",
"<" => "<",
">" => ">",
"'" => "'",
'"' => """,
"/" => "/"
}

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#3233 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAAw0NiiXoSH6gZzE42dgGvysJrbtroEks5q5wQ7gaJpZM4J0F9f
.

[codenoid]

still open ? :/

[rdp]

yes

…

On Wed, Sep 20, 2017 at 2:26 AM, Rubi Jihantoro ***@***.***> wrote: still open ? :/ — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#3233 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAw0PawyJgLmoyrdXwFG4lRqNlEzWQoks5skMwogaJpZM4J0F9f> .