It's not recommended to escape ' to '

OWASP doesn't recommend it https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content and ' is not a valid in HTML4 http://www.w3.org/TR/html4/sgml/entities.html
ruby · spastorino · Aug 9, 2012 · Aug 13, 2012 · 538bd3ccfc969da49309e567999b34ed69cdce66
commit 538bd3ccfc969da49309e567999b34ed69cdce66
diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb
@@ -22,7 +22,7 @@ def CGI::unescape(string,encoding=@@accept_charset)
 
   # The set of special characters and their escaped values
   TABLE_FOR_ESCAPE_HTML__ = {
-    "'" => '&apos;',
+    "'" => '&#x27;',
     '&' => '&amp;',
     '"' => '&quot;',
     '<' => '&lt;',

diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb
@@ -54,7 +54,7 @@ def test_cgi_pretty
   end
 
   def test_cgi_escapeHTML
-    assert_equal(CGI::escapeHTML("'&\"><"),"&apos;&amp;&quot;&gt;&lt;")
+    assert_equal(CGI::escapeHTML("'&\"><"),"&#x27;&amp;&quot;&gt;&lt;")
   end
 
   def test_cgi_unescapeHTML

diff --git a/test/erb/test_erb.rb b/test/erb/test_erb.rb
@@ -39,8 +39,7 @@ def test_with_filename_and_safe_level
   end
 
   def test_html_escape
-    # TODO: &apos; should be changed to &#x27;
-    assert_equal(" !&quot;\#$%&amp;&apos;()*+,-./0123456789:;&lt;=&gt;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~",
+    assert_equal(" !&quot;\#$%&amp;&#x27;()*+,-./0123456789:;&lt;=&gt;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~",
                  ERB::Util.html_escape(" !\"\#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"))
 
     assert_equal("", ERB::Util.html_escape(""))