use Rack::Utils.escape_html in Sidekiq::Web escape helper

ERB::Util.h doesn't escape apostrophes and slash. Rack::Utils.escape_html is more performant and also escapes all char recommended by OWASP. (https://github.com/rack/rack/issues/27)
2022-11-09 13:52:34 -05:00 · 2013-10-30 22:09:20 +01:00 · 2013-10-30 22:09:20 +01:00 · 2243426914
commit 2243426914
parent 2c049bdaba
1 changed files with 1 additions and 1 deletions
--- a/lib/sidekiq/web_helpers.rb
+++ b/lib/sidekiq/web_helpers.rb
@ -159,7 +159,7 @@ module Sidekiq
    end

    def h(text)
-      ERB::Util.h(text)
+      Rack::Utils.escape_html(text)
    end

    # Any paginated list that performs an action needs to redirect