escape_html.rb 1010 B

1234567891011121314151617181920
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. module EscapeHtmlHelper
  3. # From now on, CGI#escapeHTML escapes single quotes `'` as `'`, in addition to other supported HTML entities.
  4. # This may cause some problems with existing implementations of HTML escaping, in case they do not use
  5. # CGI#escapeHTML internally or conform to the established OWASP standard. Therefore, we bring back the old
  6. # behavior in form of a helper function, so we can reliably compare actual values with expected ones.
  7. # https://bugs.ruby-lang.org/issues/5485
  8. def escape_html_wo_single_quotes(string)
  9. single_quote_char = "\u0027" # apostrophe/single quotation mark
  10. replacement_char = "\uFFFD" # replacement character
  11. target_string = string.gsub(single_quote_char, replacement_char)
  12. target_string = CGI.escapeHTML(target_string)
  13. target_string.gsub(replacement_char, single_quote_char)
  14. end
  15. end
  16. RSpec.configure do |config|
  17. config.include EscapeHtmlHelper
  18. end