* lib/erb.rb (ERB::Util.html_escape): use CGI.escape to escape

single quotes. [ruby-core:47138] [Bug #6861]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36687 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,8 @@
+Mon Aug 13 13:13:19 2012  Shugo Maeda  <shugo@ruby-lang.org>
+
+	* lib/erb.rb (ERB::Util.html_escape): use CGI.escape to escape
+	  single quotes. [ruby-core:47138] [Bug #6861]
+
 Sun Aug 12 11:57:20 2012  Kazuki Tsujimoto  <kazuki@callcc.net>
 
 	* vm.c (invoke_block_from_c): fix unintentional block passing.

lib/erb.rb

@@ -10,6 +10,8 @@
 #
 # You can redistribute it and/or modify it under the same terms as Ruby.
 
+require "cgi/util"
+
 #
 # = ERB -- Ruby Templating
 #
@@ -909,7 +911,7 @@ class ERB
     #   is a > 0 & a < 10?
     #
     def html_escape(s)
-      s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;")
+      CGI.escapeHTML(s)
     end
     alias h html_escape
     module_function :h

test/erb/test_erb.rb

@@ -37,6 +37,16 @@ class TestERB < Test::Unit::TestCase
     }
     assert_match(/\Atest filename:1\b/, e.backtrace[0])
   end
+
+  def test_html_escape
+    # TODO: &apos; should be chaged to &#x27;
+    assert_equal(" !&quot;\#$%&amp;&apos;()*+,-./0123456789:;&lt;=&gt;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~",
+                 ERB::Util.html_escape(" !\"\#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"))
+
+    assert_equal("", ERB::Util.html_escape(""))
+    assert_equal("abc", ERB::Util.html_escape("abc"))
+    assert_equal("&lt;&lt;", ERB::Util.html_escape("<<"))
+  end
 end
 
 class TestERBCore < Test::Unit::TestCase