From 07132e0675ecacd9215504e9f9631fa1f83b7670 Mon Sep 17 00:00:00 2001
From: xibbar <xibbar@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Tue, 3 Jul 2012 23:32:33 +0000
Subject: [PATCH] Wed Jul  4 08:24:28 2012  Takeyuki FUJIOKA 
 <xibbar@ruby-lang.org>

  * lib/cgi/util.rb: Add &apos; to CGI's HTML escaping.[Feature #6620]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36299 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 lib/cgi/util.rb           | 9 ++++++---
 test/cgi/test_cgi_util.rb | 4 ++++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb
index b877c1bae7..9cfff99b78 100644
--- a/lib/cgi/util.rb
+++ b/lib/cgi/util.rb
@@ -22,6 +22,7 @@ class CGI
 
   # The set of special characters and their escaped values
   TABLE_FOR_ESCAPE_HTML__ = {
+    "'" => '&apos;',
     '&' => '&amp;',
     '"' => '&quot;',
     '<' => '&lt;',
@@ -32,7 +33,7 @@ class CGI
   #   CGI::escapeHTML('Usage: foo "bar" <baz>')
   #      # => "Usage: foo &quot;bar&quot; &lt;baz&gt;"
   def CGI::escapeHTML(string)
-    string.gsub(/[&\"<>]/, TABLE_FOR_ESCAPE_HTML__)
+    string.gsub(/['&\"<>]/, TABLE_FOR_ESCAPE_HTML__)
   end
 
   # Unescape a string that has been HTML-escaped
@@ -41,8 +42,9 @@ class CGI
   def CGI::unescapeHTML(string)
     enc = string.encoding
     if [Encoding::UTF_16BE, Encoding::UTF_16LE, Encoding::UTF_32BE, Encoding::UTF_32LE].include?(enc)
-      return string.gsub(Regexp.new('&(amp|quot|gt|lt|#[0-9]+|#x[0-9A-Fa-f]+);'.encode(enc))) do
+      return string.gsub(Regexp.new('&(apos|amp|quot|gt|lt|#[0-9]+|#x[0-9A-Fa-f]+);'.encode(enc))) do
         case $1.encode("US-ASCII")
+        when 'apos'                then "'".encode(enc)
         when 'amp'                 then '&'.encode(enc)
         when 'quot'                then '"'.encode(enc)
         when 'gt'                  then '>'.encode(enc)
@@ -53,9 +55,10 @@ class CGI
       end
     end
     asciicompat = Encoding.compatible?(string, "a")
-    string.gsub(/&(amp|quot|gt|lt|\#[0-9]+|\#x[0-9A-Fa-f]+);/) do
+    string.gsub(/&(apos|amp|quot|gt|lt|\#[0-9]+|\#x[0-9A-Fa-f]+);/) do
       match = $1.dup
       case match
+      when 'apos'                then "'"
       when 'amp'                 then '&'
       when 'quot'                then '"'
       when 'gt'                  then '>'
diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb
index a291d47f99..5b43732476 100644
--- a/test/cgi/test_cgi_util.rb
+++ b/test/cgi/test_cgi_util.rb
@@ -53,4 +53,8 @@ class CGIUtilTest < Test::Unit::TestCase
     assert_equal("<HTML>\n\t<BODY>\n\t</BODY>\n</HTML>\n",CGI::pretty("<HTML><BODY></BODY></HTML>","\t"))
   end
 
+  def test_cgi_unescapeHTML
+    assert_equal(CGI::unescapeHTML("&apos;&amp;&quot;&gt;&lt;"),"'&\"><")
+  end
+
 end