H() or html_escape() not escape the single quote... risky?


#1

so h() is an alias for html_escape() and they convert the following 4
characters

< > & "

into

< > & "

the single quote is not converted…

I just wonder sometimes we happen to write code such as

and it can cause an cross-site scripting (XSS) attack?

we usually use double quote but sometimes we use single quote like
somebody can write

puts “”

(sorry i have used PHP for quite some time and so by Ruby is rusty…)


#2

This is a Rails question. Please ask Rails questions in a Rails forum,
not on the Ruby mailing list.

SpringFlowers AutumnMoon wrote:

the single quote is not converted…

I just wonder sometimes we happen to write code such as

Just don’t, it’s not correct HTML.


#3

Hi,

At Sun, 28 Sep 2008 04:28:45 +0900,
SpringFlowers AutumnMoon wrote in [ruby-talk:316193]:

the single quote is not converted…

I guess that is because the character entity reference of
single quote isn’t defined in HTML.

we usually use double quote but sometimes we use single quote like
somebody can write

puts “”

You can use other delimiters than double quote and single quote.

puts %[]

or heredoc.

puts <<HIDDEN

HIDDEN

Heredocs include the last newline, but no differences to use
with #puts.


#4

Andreas S. wrote:

Just don’t, it’s not correct HTML.

really – i thought HTML 4.01 allows using either double or single
quote?


#5

On Sep 27, 10:19 pm, SpringFlowers AutumnMoon <rails-mailing-
removed_email_address@domain.invalid> wrote:

Andreas S. wrote:

Just don’t, it’s not correct HTML.

really – i thought HTML 4.01 allows using either double or single
quote?

perhaps, but if h() doesn’t escape single quotes then you’d want to
avoid using single quotes as the attribute value delimiter.