From e4a6305a50600fe70ac090926193e03e731066e1 Mon Sep 17 00:00:00 2001 From: Timothy DeHerrera Date: Thu, 5 Feb 2026 17:07:54 -0700 Subject: [PATCH] fix(escape): add single-quote escaping to html_escape MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add '\'' → ''' case to html_escape_into for complete XSS protection in HTML attribute contexts. Update documentation and add test case. Addresses LOW severity finding from security audit. --- src/escape.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/escape.rs b/src/escape.rs index ba0ba5a..334623d 100644 --- a/src/escape.rs +++ b/src/escape.rs @@ -2,7 +2,7 @@ /// Escape HTML special characters for safe embedding in HTML content. /// -/// Escapes: `&`, `<`, `>`, `"` +/// Escapes: `&`, `<`, `>`, `"`, `'` pub fn html_escape(s: &str) -> String { let mut result = String::with_capacity(s.len()); html_escape_into(&mut result, s); @@ -19,6 +19,7 @@ pub fn html_escape_into(out: &mut String, s: &str) { '<' => out.push_str("<"), '>' => out.push_str(">"), '"' => out.push_str("""), + '\'' => out.push_str("'"), _ => out.push(c), } } @@ -44,6 +45,7 @@ mod tests { assert_eq!(html_escape("Hello & World"), "Hello & World"); assert_eq!(html_escape(""), "<tag>"); assert_eq!(html_escape("\"quoted\""), ""quoted""); + assert_eq!(html_escape("it's"), "it's"); } #[test]