escape-html should escape apostrophe's

[msmith-techempower]

(defn escape-html
  "Change special characters into HTML character entities."
  [text]
  (.. ^String (as-str text)
    (replace "&" "&")
    (replace "<" "&lt;")
    (replace ">" "&gt;")
    (replace "\"" "&quot;")
    (replace "'" "&apos;")))

[weavejester]

Why?

[msmith-techempower]

Most libraries that handle escaping do this; here is a simple mustache example to illustrate why:

<a href='{{untrustedData}}'>Click Me</a>

Apostrophes are technically valid replacements for quotes in this example, and if the untrusted data does not escape apostrophes and the untrusted data happens to be #' onclick='while(true){alert("hahahaha");} you have opened your page to an attack.

Basically, it is just considered best practice to escape apostrophes as well as quotes, amps, and lg/gt.

[weavejester]

So the use case is if Hiccup is used in conjunction with a library that uses single quotes?

I think we'll need to take into account the special case of HTML4, which doesn't have '

[msmith-techempower]

Full disclosure - I am updating a test that uses Hiccup to produce HTML output, and I validate the output for our benchmarks; I am running into the problem that we consider the test to have failed validation if the apostrophe is not escaped (again, web's "best practices" is rule of law for our validations).

HTML4 should have ', ', or &#039; would you be willing to use one of those?

[weavejester]

Yep, it's recommended to use ' by the w3, though of course all the examples you give are just the same character in different bases.

Something like:

(replace "'" (if (= *html-mode* :sgml) "'" "'"))

[msmith-techempower]

Sounds good to me.

[weavejester]

Fixed in 9d39730