servius/sukr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(escape): add single-quote escaping to html_escape

Browse Source 
Add '\'' → ''' case to html_escape_into for complete XSS
protection in HTML attribute contexts. Update documentation
and add test case.

Addresses LOW severity finding from security audit.
This commit is contained in:
Timothy DeHerrera
2026-02-05 17:07:54 -07:00
parent 899f904160
commit e4a6305a50
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/escape.rs
View File

@@ -2,7 +2,7 @@
/// Escape HTML special characters for safe embedding in HTML content.
///
/// Escapes: `&`, `<`, `>`, `"`
/// Escapes: `&`, `<`, `>`, `"`, `'`
pub fn html_escape(s: &str) -> String {
let mut result = String::with_capacity(s.len());
html_escape_into(&mut result, s);
@@ -19,6 +19,7 @@ pub fn html_escape_into(out: &mut String, s: &str) {
'<' => out.push_str("&lt;"),
'>' => out.push_str("&gt;"),
'"' => out.push_str("&quot;"),
'\'' => out.push_str("&#39;"),
_ => out.push(c),
}
}
@@ -44,6 +45,7 @@ mod tests {
assert_eq!(html_escape("Hello & World"), "Hello &amp; World");
assert_eq!(html_escape("<tag>"), "&lt;tag&gt;");
assert_eq!(html_escape("\"quoted\""), "&quot;quoted&quot;");
assert_eq!(html_escape("it's"), "it&#39;s");
}
#[test]