html_escape should escape single quotes

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

actionpack/test/controller/new_base/render_template_test.rb

@@ -126,7 +126,7 @@ module RenderTemplate
     test "rendering a template with error properly excerts the code" do
       get :with_error
       assert_status 500
-      assert_match "undefined local variable or method `idontexist'", response.body
+      assert_match "undefined local variable or method `idontexist", response.body
     end
   end
 

actionpack/test/controller/render_test.rb

@@ -186,7 +186,7 @@ class TestController < ActionController::Base
 
   # :ported:
   def render_text_hello_world_with_layout
-    @variable_for_layout = ", I'm here!"
+    @variable_for_layout = ", I am here!"
     render :text => "hello world", :layout => true
   end
 
@@ -844,7 +844,7 @@ class RenderTest < ActionController::TestCase
   # :ported:
   def test_do_with_render_text_and_layout
     get :render_text_hello_world_with_layout
-    assert_equal "<html>hello world, I'm here!</html>", @response.body
+    assert_equal "<html>hello world, I am here!</html>", @response.body
   end
 
   # :ported:

actionpack/test/template/erb_util_test.rb

@@ -8,11 +8,11 @@ class ErbUtilTest < ActiveSupport::TestCase
     define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
       assert_equal expected, html_escape(given)
     end
+  end
 
-    unless given == '"'
-      define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
-        assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
-      end
+  ERB::Util::JSON_ESCAPE.each do |given, expected|
+    define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
+      assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
     end
   end
 
@@ -40,13 +40,13 @@ class ErbUtilTest < ActiveSupport::TestCase
 
   def test_rest_in_ascii
     (0..127).to_a.map {|int| int.chr }.each do |chr|
-      next if chr.in?('&"<>')
+      next if chr.in?('&"<>\'')
       assert_equal chr, html_escape(chr)
     end
   end
 
   def test_html_escape_once
-    assert_equal '1 &lt; 2 &amp; 3', html_escape_once('1 < 2 &amp; 3')
+    assert_equal '1 &lt;&gt;&amp;&quot;&#x27; 2 &amp; 3', html_escape_once('1 <>&"\' 2 &amp; 3')
   end
 
   def test_html_escape_once_returns_unsafe_strings_when_passed_unsafe_strings

actionpack/test/template/form_options_helper_test.rb

@@ -1125,7 +1125,7 @@ class FormOptionsHelperTest < ActionView::TestCase
 
   def test_options_for_select_with_element_attributes
     assert_dom_equal(
-      "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"alert('Hello World');\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
+      "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"" + ERB::Util.html_escape("alert('Hello World');") + "\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
       options_for_select([ [ "<Denmark>", { :class => 'bold' } ], [ "USA", { :onclick => "alert('Hello World');" } ], [ "Sweden" ], "Germany" ])
     )
   end

actionpack/test/template/form_tag_helper_test.rb

@@ -374,7 +374,7 @@ class FormTagHelperTest < ActionView::TestCase
 
   def test_submit_tag
     assert_dom_equal(
-      %(<input name='commit' data-disable-with="Saving..." onclick="alert('hello!')" type="submit" value="Save" />),
+      %(<input name='commit' data-disable-with="Saving..." onclick=") + ERB::Util.html_escape("alert('hello!')") + %(" type="submit" value="Save" />),
       submit_tag("Save", :onclick => "alert('hello!')", :data => { :disable_with => "Saving..." })
     )
   end

actionpack/test/template/template_test.rb

@@ -84,7 +84,7 @@ class TestERBTemplate < ActiveSupport::TestCase
   def test_locals
     @template = new_template("<%= my_local %>")
     @template.locals = [:my_local]
-    assert_equal "I'm a local", render(:my_local => "I'm a local")
+    assert_equal "I am a local", render(:my_local => "I am a local")
   end
 
   def test_restores_buffer

actionpack/test/template/text_helper_test.rb

@@ -107,8 +107,8 @@ class TextHelperTest < ActionView::TestCase
   end
 
   def test_truncate_with_link_options
-    assert_equal "Here's a long test and I...<a href=\"#\">Continue</a>",
-    truncate("Here's a long test and I need a continue to read link", :length => 27) { link_to 'Continue', '#' }
+    assert_equal "Here is a long test and ...<a href=\"#\">Continue</a>",
+    truncate("Here is a long test and I need a continue to read link", :length => 27) { link_to 'Continue', '#' }
   end
 
   def test_truncate_should_be_html_safe
@@ -149,8 +149,8 @@ class TextHelperTest < ActionView::TestCase
   end
 
   def test_truncate_with_block_should_escape_the_block
-    assert_equal "Here's a long test and I...&lt;script&gt;alert('foo');&lt;/script&gt;",
-      truncate("Here's a long test and I need a continue to read link", :length => 27) { "<script>alert('foo');</script>" }
+    assert_equal "Here is a long test and ...&lt;script&gt;" + ERB::Util.html_escape("alert('foo');") + "&lt;/script&gt;",
+      truncate("Here is a long test and I need a continue to read link", :length => 27) { "<script>alert('foo');</script>" }
   end
 
   def test_highlight_should_be_html_safe

actionpack/test/template/url_helper_test.rb

@@ -244,7 +244,7 @@ class UrlHelperTest < ActiveSupport::TestCase
 
   def test_link_tag_with_custom_onclick
     link = link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')")
-    expected = %{<a href="http://www.example.com" onclick="alert('yay!')">Hello</a>}
+    expected = %{<a href="http://www.example.com" onclick="} + ERB::Util.html_escape("alert('yay!')") + %{">Hello</a>}
     assert_dom_equal expected, link
   end
 
@@ -254,12 +254,12 @@ class UrlHelperTest < ActiveSupport::TestCase
       link_to("Hello", "http://www.example.com", :data => { :confirm => "Are you sure?" })
     )
     assert_dom_equal(
-      "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure, can you?\">Hello</a>",
-      link_to("Hello", "http://www.example.com", :data => { :confirm => "You can't possibly be sure, can you?" })
+      "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure, can you?\">Hello</a>",
+      link_to("Hello", "http://www.example.com", :data => { :confirm => "You cant possibly be sure, can you?" })
     )
     assert_dom_equal(
-      "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure,\n can you?\">Hello</a>",
-      link_to("Hello", "http://www.example.com", :data => { :confirm => "You can't possibly be sure,\n can you?" })
+      "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure,\n can you?\">Hello</a>",
+      link_to("Hello", "http://www.example.com", :data => { :confirm => "You cant possibly be sure,\n can you?" })
     )
   end
 
@@ -272,14 +272,14 @@ class UrlHelperTest < ActiveSupport::TestCase
     end
     assert_deprecated ":confirm option is deprecated and will be removed from Rails 4.1. Use ':data => { :confirm => \'Text\' }' instead" do
       assert_dom_equal(
-        "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure, can you?\">Hello</a>",
-        link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure, can you?")
+        "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure, can you?\">Hello</a>",
+        link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure, can you?")
       )
     end
     assert_deprecated ":confirm option is deprecated and will be removed from Rails 4.1. Use ':data => { :confirm => \'Text\' }' instead" do
       assert_dom_equal(
-        "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure,\n can you?\">Hello</a>",
-        link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure,\n can you?")
+        "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure,\n can you?\">Hello</a>",
+        link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure,\n can you?")
       )
     end
   end

activesupport/lib/active_support/core_ext/string/output_safety.rb

@@ -3,9 +3,9 @@ require 'active_support/core_ext/kernel/singleton_class'
 
 class ERB
   module Util
-    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;' }
+    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
     JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
-    HTML_ESCAPE_ONCE_REGEXP = /[\"><]|&(?!([a-zA-Z]+|(#\d+));)/
+    HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/
     JSON_ESCAPE_REGEXP = /[&"><]/
 
     # A utility method for escaping HTML tag characters.
@@ -21,7 +21,7 @@ class ERB
       if s.html_safe?
         s
       else
-        s.encode(s.encoding, :xml => :attr)[1...-1].html_safe
+        s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
       end
     end
 

activesupport/test/core_ext/string_ext_test.rb

@@ -498,8 +498,8 @@ class OutputSafetyTest < ActiveSupport::TestCase
   end
 
   test "ERB::Util.html_escape should escape unsafe characters" do
-    string = '<>&"'
-    expected = '&lt;&gt;&amp;&quot;'
+    string = '<>&"\''
+    expected = '&lt;&gt;&amp;&quot;&#x27;'
     assert_equal expected, ERB::Util.html_escape(string)
   end