CGI::escapeHTML is escaping single quote

Question

I recently upgraded my Ruby 1.9.3 to 2.0.0 and had a surprise ; CGI::escapeHTML is now escaping single quote, meaning:

CGI::escapeHTML("'")
=> "'"

The wierdest thing is that, when going to definition of escapeHTML, everything seems fine, and copying the definition of the method give the right result (it doesn't escape single quote)

Does anyone have a clue about this?

Thanks,

Answer 1

Actually, it does what is defined in the 2.0 source. But you are right, the implementation changed from 1.9.3 to 2.0.

1.9.3 source:

def CGI::escapeHTML(string)
  string.gsub(/[&\"<>]/, TABLE_FOR_ESCAPE_HTML__)
end

2.0 source:

def CGI::escapeHTML(string)
  string.gsub(/['&\"<>]/, TABLE_FOR_ESCAPE_HTML__)
end

Why have they changed it?

It was done in this commit because (according to bug #5485) the OWASP recommends to escape single quotes before inserting them in to HTML. So it's a security thing.