escape-html should escape apostrophe's about hiccup HOT 7 CLOSED

Why?

from hiccup.

Most libraries that handle escaping do this; here is a simple mustache example to illustrate why:

<a href='{{untrustedData}}'>Click Me</a>

Apostrophes are technically valid replacements for quotes in this example, and if the untrusted data does not escape apostrophes and the untrusted data happens to be #' onclick='while(true){alert("hahahaha");} you have opened your page to an attack.

Basically, it is just considered best practice to escape apostrophes as well as quotes, amps, and lg/gt.

from hiccup.

So the use case is if Hiccup is used in conjunction with a library that uses single quotes?

I think we'll need to take into account the special case of HTML4, which doesn't have '

from hiccup.

Full disclosure - I am updating a test that uses Hiccup to produce HTML output, and I validate the output for our benchmarks; I am running into the problem that we consider the test to have failed validation if the apostrophe is not escaped (again, web's "best practices" is rule of law for our validations).

HTML4 should have ', ', or &#039; would you be willing to use one of those?

from hiccup.

Yep, it's recommended to use ' by the w3, though of course all the examples you give are just the same character in different bases.

Something like:

(replace "'" (if (= *html-mode* :sgml) "'" "'"))

from hiccup.

Sounds good to me.

from hiccup.

Fixed in 9d39730

from hiccup.