Moderate severityNVD Advisory· Published Oct 15, 2019· Updated Aug 5, 2024

CVE-2017-1002201

Description

In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Haml prior to 5.0.0.beta.2 fails to escape apostrophes, allowing XSS via injection of attributes in rendered HTML.

The vulnerability lies in Haml's html_escape helper, which fails to escape the single quote character (') when processing user-supplied input. This omission allows an attacker to inject arbitrary HTML attributes by breaking out of an attribute context using a single quote [1][4].

To exploit this, an attacker can supply a string containing a single quote followed by additional attributes, such as event handlers. For example, if the input h'i' is rendered in an attribute value, the single quote is not escaped, potentially leading to the injection of onclick or similar attributes that execute JavaScript [2].

Successful exploitation results in cross-site scripting (XSS), enabling the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, data theft, or other malicious actions.

The issue was addressed in Haml version 5.0.0.beta.2, released on February 26, 2017. Users should upgrade to this version or later to mitigate the risk [2][4].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
hamlRubyGems	< 5.0.0	5.0.0

Affected products

233

ghsa-coords232 versions
pkg:gem/haml pkg:rpm/suse/ardana-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-cobbler&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-cobbler&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-designate&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-designate&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-extensions-example&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-extensions-example&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-extensions-nsx&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-extensions-nsx&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-input-model&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-input-model&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-ironic&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-ironic&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-logging&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-logging&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-monasca&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-monasca&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-monasca-transform&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-monasca-transform&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-mq&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-osconfig&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-osconfig&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-tempest&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-tempest&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/caasp-openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-ha&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-ui&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-ui&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/galera-3&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/keepalived&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/keepalived&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/keepalived&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/mariadb-connector-c&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/mariadb&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/mariadb&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/mariadb&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/mariadb&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-cinder-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-cinder-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-cinder-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-dashboard&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-dashboard-theme-SUSE&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-dashboard-theme-SUSE&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-dashboard-theme-SUSE&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-heat-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-heat-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-heat-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-heat-templates&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-horizon-plugin-designate-ui&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-horizon-plugin-designate-ui&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-horizon-plugin-designate-ui&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-horizon-plugin-neutron-lbaas-ui&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-horizon-plugin-neutron-lbaas-ui&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-horizon-plugin-neutron-lbaas-ui&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-ironic&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-ironic-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-ironic-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-ironic-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-keystone-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-monasca-agent&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-gbp&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-vsphere&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-vsphere&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-vsphere&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-nova-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-octavia-amphora-image&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-octavia&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-resource-agents&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-resource-agents&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-resource-agents&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-sahara&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-sahara&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-sahara&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-sahara-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-sahara-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-sahara-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-trove&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-trove&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-trove&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-trove-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-trove-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-trove-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/patterns-cloud&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-cinderlm&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-cinderlm&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-congressclient&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-congressclient&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-congressclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-designateclient&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-designateclient&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-designateclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-freezegun&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-freezegun&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-ironic-lib&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-ironic-lib&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-ironic-lib&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-networking-cisco&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-networking-cisco&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-networking-cisco&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-osc-lib&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-osc-lib&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-osc-lib&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.context&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.context&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.context&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.messaging&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-oslo.rootwrap&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.rootwrap&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.rootwrap&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.serialization&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.serialization&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.serialization&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.service&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.service&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.service&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.utils&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-stevedore&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-stevedore&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-stevedore&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-taskflow&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-taskflow&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-taskflow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-crowbar-client&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-haml&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-haml&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-haml&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/venv-openstack-aodh&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-aodh&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-barbican&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-designate&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-freezer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-freezer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-magnum&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-manila&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-murano&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-murano&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-sahara&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-swift&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-trove&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-trove&distro=SUSE%20OpenStack%20Cloud%208
< 5.0.0+ 231 more
- (no CPE)range: < 5.0.0
- (no CPE)range: < 8.0+git.1579279939.ee7da88-3.39.3
- (no CPE)range: < 8.0+git.1579279939.ee7da88-3.39.3
- (no CPE)range: < 8.0+git.1575037115.0326803-3.41.3
- (no CPE)range: < 8.0+git.1575037115.0326803-3.41.3
- (no CPE)range: < 8.0+git.1573597788.15b7984-3.17.3
- (no CPE)range: < 8.0+git.1573597788.15b7984-3.17.3
- (no CPE)range: < 8.0+git.1534266307.db1ec28-3.3.3
- (no CPE)range: < 8.0+git.1534266307.db1ec28-3.3.3
- (no CPE)range: < 8.0+git.1567529036.a41a037-3.6.4
- (no CPE)range: < 8.0+git.1567529036.a41a037-3.6.4
- (no CPE)range: < 8.0+git.1571846045.ab9e3ea-3.20.3
- (no CPE)range: < 8.0+git.1571846045.ab9e3ea-3.20.3
- (no CPE)range: < 8.0+git.1571777596.14dce6a-3.15.3
- (no CPE)range: < 8.0+git.1571777596.14dce6a-3.15.3
- (no CPE)range: < 8.0+git.1582147997.b9ed134-3.36.3
- (no CPE)range: < 8.0+git.1582147997.b9ed134-3.36.3
- (no CPE)range: < 8.0+git.1571845225.006843d-3.9.3
- (no CPE)range: < 8.0+git.1571845225.006843d-3.9.3
- (no CPE)range: < 8.0+git.1573147067.09e3ea0-3.27.3
- (no CPE)range: < 8.0+git.1573147067.09e3ea0-3.27.3
- (no CPE)range: < 8.0+git.1572452293.e65d714-3.21.3
- (no CPE)range: < 8.0+git.1572452293.e65d714-3.21.3
- (no CPE)range: < 8.0+git.1572527728.9b34bdf-3.21.3
- (no CPE)range: < 8.0+git.1572527728.9b34bdf-3.21.3
- (no CPE)range: < 8.0+git.1571845965.97714fb-3.12.3
- (no CPE)range: < 8.0+git.1571845965.97714fb-3.12.3
- (no CPE)range: < 8.0+git.1581024906.fbf0be3-3.16.3
- (no CPE)range: < 8.0+git.1581024906.fbf0be3-3.16.3
- (no CPE)range: < 8.0+git.1573050365.ff6fa06-3.36.3
- (no CPE)range: < 8.0+git.1573050365.ff6fa06-3.36.3
- (no CPE)range: < 8.0+git.1571846125.584d988-3.38.3
- (no CPE)range: < 8.0+git.1571846125.584d988-3.38.3
- (no CPE)range: < 8.0+git.1575642049.1f321d0-3.23.3
- (no CPE)range: < 8.0+git.1575642049.1f321d0-3.23.3
- (no CPE)range: < 8.0+git.1581015942.2d21e63-3.42.3
- (no CPE)range: < 8.0+git.1581015942.2d21e63-3.42.3
- (no CPE)range: < 8.0+git.1579261264.7dd213a-3.30.3
- (no CPE)range: < 8.0+git.1579261264.7dd213a-3.30.3
- (no CPE)range: < 1.0+git.1560518045.ad7dc6d-1.9.1
- (no CPE)range: < 4.0+git.1573109906.0f62e9503-9.57.2
- (no CPE)range: < 5.0+git.1582968668.1a55c77c5-3.35.4
- (no CPE)range: < 5.0+git.1574286229.e0364c3-3.29.3
- (no CPE)range: < 4.0+git.1573038068.1e32b3205-9.62.2
- (no CPE)range: < 5.0+git.1582911795.5081ef1da-4.34.3
- (no CPE)range: < 1.1.0+git.1547500033.d0fb2bf2-4.12.1
- (no CPE)range: < 1.2.0+git.1575896697.a01a3a08-3.15.3
- (no CPE)range: < 25.3.25-11.1
- (no CPE)range: < 2.0.19-3.6.3
- (no CPE)range: < 2.0.19-3.6.3
- (no CPE)range: < 2.0.19-3.6.3
- (no CPE)range: < 3.1.2-1.9.1
- (no CPE)range: < 10.2.31-4.17.3
- (no CPE)range: < 10.2.25-13.1
- (no CPE)range: < 10.2.31-4.17.3
- (no CPE)range: < 10.2.31-4.17.3
- (no CPE)range: < 11.2.3~dev23-3.24.4
- (no CPE)range: < 11.2.3~dev23-3.24.4
- (no CPE)range: < 11.2.3~dev23-3.24.4
- (no CPE)range: < 11.2.3~dev23-3.24.3
- (no CPE)range: < 11.2.3~dev23-3.24.3
- (no CPE)range: < 11.2.3~dev23-3.24.3
- (no CPE)range: < 12.0.5~dev2-3.23.4
- (no CPE)range: < 12.0.5~dev2-3.23.4
- (no CPE)range: < 12.0.5~dev2-3.23.4
- (no CPE)range: < 2016.2-5.9.2
- (no CPE)range: < 2017.2+git.1573629528.6b21fa5-7.14.3
- (no CPE)range: < 2017.2+git.1573629528.6b21fa5-7.14.3
- (no CPE)range: < 9.0.8~dev22-3.27.4
- (no CPE)range: < 9.0.8~dev22-3.27.4
- (no CPE)range: < 9.0.8~dev22-3.27.4
- (no CPE)range: < 9.0.8~dev22-3.27.3
- (no CPE)range: < 9.0.8~dev22-3.27.3
- (no CPE)range: < 9.0.8~dev22-3.27.3
- (no CPE)range: < 0.0.0+git.1560033670.e3b5a52-3.12.3
- (no CPE)range: < 0.0.0+git.1515995585.81ed236-12.1
- (no CPE)range: < 0.0.0+git.1560033670.e3b5a52-3.12.3
- (no CPE)range: < 0.0.0+git.1560033670.e3b5a52-3.12.3
- (no CPE)range: < 5.0.3~dev2-3.9.3
- (no CPE)range: < 5.0.3~dev2-3.9.3
- (no CPE)range: < 5.0.3~dev2-3.9.3
- (no CPE)range: < 3.0.3~dev5-3.14.3
- (no CPE)range: < 3.0.3~dev5-3.14.3
- (no CPE)range: < 3.0.3~dev5-3.14.3
- (no CPE)range: < 9.1.8~dev8-3.24.4
- (no CPE)range: < 9.1.8~dev8-3.24.4
- (no CPE)range: < 9.1.8~dev8-3.24.4
- (no CPE)range: < 9.1.8~dev8-3.24.3
- (no CPE)range: < 9.1.8~dev8-3.24.3
- (no CPE)range: < 9.1.8~dev8-3.24.3
- (no CPE)range: < 12.0.4~dev5-5.30.4
- (no CPE)range: < 12.0.4~dev5-5.30.4
- (no CPE)range: < 12.0.4~dev5-5.30.4
- (no CPE)range: < 12.0.4~dev5-5.30.3
- (no CPE)range: < 12.0.4~dev5-5.30.3
- (no CPE)range: < 12.0.4~dev5-5.30.3
- (no CPE)range: < 2.2.5~dev5-3.15.2
- (no CPE)range: < 2.2.5~dev5-3.15.2
- (no CPE)range: < 2.2.5~dev5-3.15.2
- (no CPE)range: < 11.0.9~dev60-3.27.4
- (no CPE)range: < 9.4.2~dev21-7.35.3
- (no CPE)range: < 11.0.9~dev60-3.27.4
- (no CPE)range: < 11.0.9~dev60-3.27.4
- (no CPE)range: < 11.0.9~dev60-3.27.3
- (no CPE)range: < 9.4.2~dev21-7.35.1
- (no CPE)range: < 11.0.9~dev60-3.27.3
- (no CPE)range: < 11.0.9~dev60-3.27.3
- (no CPE)range: < 7.3.1~dev72-3.12.3
- (no CPE)range: < 7.3.1~dev72-3.12.3
- (no CPE)range: < 7.3.1~dev72-3.12.3
- (no CPE)range: < 2.0.1~dev133-3.12.3
- (no CPE)range: < 2.0.1~dev133-3.12.3
- (no CPE)range: < 2.0.1~dev133-3.12.3
- (no CPE)range: < 16.1.9~dev49-3.32.4
- (no CPE)range: < 14.0.11~dev13-4.37.3
- (no CPE)range: < 16.1.9~dev49-3.32.4
- (no CPE)range: < 16.1.9~dev49-3.32.4
- (no CPE)range: < 16.1.9~dev49-3.32.3
- (no CPE)range: < 14.0.11~dev13-4.37.2
- (no CPE)range: < 16.1.9~dev49-3.32.3
- (no CPE)range: < 16.1.9~dev49-3.32.3
- (no CPE)range: < 0.1.2-3.9.3
- (no CPE)range: < 0.1.2-3.9.3
- (no CPE)range: < 0.1.2-3.9.3
- (no CPE)range: < 1.0.6~dev3-4.21.3
- (no CPE)range: < 1.0.6~dev3-4.21.3
- (no CPE)range: < 1.0.6~dev3-4.21.3
- (no CPE)range: < 1.0+git.1569436425.8b9c49f-3.3.3
- (no CPE)range: < 1.0+git.1569436425.8b9c49f-3.3.3
- (no CPE)range: < 1.0+git.1569436425.8b9c49f-3.3.3
- (no CPE)range: < 7.0.5~dev4-3.12.4
- (no CPE)range: < 7.0.5~dev4-3.12.4
- (no CPE)range: < 7.0.5~dev4-3.12.4
- (no CPE)range: < 7.0.5~dev4-3.12.3
- (no CPE)range: < 7.0.5~dev4-3.12.3
- (no CPE)range: < 7.0.5~dev4-3.12.3
- (no CPE)range: < 8.0.2~dev2-3.12.3
- (no CPE)range: < 8.0.2~dev2-3.12.3
- (no CPE)range: < 8.0.2~dev2-3.12.3
- (no CPE)range: < 8.0.2~dev2-3.12.3
- (no CPE)range: < 8.0.2~dev2-3.12.3
- (no CPE)range: < 8.0.2~dev2-3.12.3
- (no CPE)range: < 20170124-4.6.1
- (no CPE)range: < 0.0.2+git.1571845893.27f0b7b-3.9.3
- (no CPE)range: < 0.0.2+git.1571845893.27f0b7b-3.9.3
- (no CPE)range: < 1.8.1-3.3.4
- (no CPE)range: < 1.8.1-3.3.4
- (no CPE)range: < 1.8.1-3.3.4
- (no CPE)range: < 2.7.1-3.3.4
- (no CPE)range: < 2.7.1-3.3.4
- (no CPE)range: < 2.7.1-3.3.4
- (no CPE)range: < 0.3.9-1.3.3
- (no CPE)range: < 0.3.9-1.3.3
- (no CPE)range: < 2.10.2-3.3.3
- (no CPE)range: < 2.10.2-3.3.3
- (no CPE)range: < 2.10.2-3.3.3
- (no CPE)range: < 6.1.1~dev65-3.3.3
- (no CPE)range: < 6.1.1~dev65-3.3.3
- (no CPE)range: < 6.1.1~dev65-3.3.3
- (no CPE)range: < 1.7.1-3.3.3
- (no CPE)range: < 1.7.1-3.3.3
- (no CPE)range: < 1.7.1-3.3.3
- (no CPE)range: < 2.17.2-3.3.3
- (no CPE)range: < 2.17.2-3.3.3
- (no CPE)range: < 2.17.2-3.3.3
- (no CPE)range: < 5.10.2-3.12.1
- (no CPE)range: < 5.9.3-3.3.3
- (no CPE)range: < 5.9.3-3.3.3
- (no CPE)range: < 5.9.3-3.3.3
- (no CPE)range: < 2.20.3-3.3.3
- (no CPE)range: < 2.20.3-3.3.3
- (no CPE)range: < 2.20.3-3.3.3
- (no CPE)range: < 1.25.2-3.3.3
- (no CPE)range: < 1.25.2-3.3.3
- (no CPE)range: < 1.25.2-3.3.3
- (no CPE)range: < 3.16.1-3.6.1
- (no CPE)range: < 4.0.2-3.14.1
- (no CPE)range: < 1.25.2-3.3.3
- (no CPE)range: < 1.25.2-3.3.3
- (no CPE)range: < 1.25.2-3.3.3
- (no CPE)range: < 2.14.2-3.3.3
- (no CPE)range: < 2.14.2-3.3.3
- (no CPE)range: < 2.14.2-3.3.3
- (no CPE)range: < 3.9.1-3.9.3
- (no CPE)range: < 4.0.6-3.3.1
- (no CPE)range: < 4.0.6-3.3.1
- (no CPE)range: < 4.0.6-3.3.1
- (no CPE)range: < 2.16.0-3.3.3
- (no CPE)range: < 5.1.1~dev7-12.22.2
- (no CPE)range: < 5.1.1~dev7-12.22.2
- (no CPE)range: < 5.0.2~dev3-12.23.2
- (no CPE)range: < 5.0.2~dev3-12.23.2
- (no CPE)range: < 9.0.8~dev7-12.20.2
- (no CPE)range: < 9.0.8~dev7-12.20.2
- (no CPE)range: < 11.2.3~dev23-14.23.2
- (no CPE)range: < 11.2.3~dev23-14.23.2
- (no CPE)range: < 5.0.3~dev7-12.21.2
- (no CPE)range: < 5.0.3~dev7-12.21.2
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.18.2
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.18.2
- (no CPE)range: < 15.0.3~dev3-12.21.2
- (no CPE)range: < 15.0.3~dev3-12.21.2
- (no CPE)range: < 9.0.8~dev22-12.23.2
- (no CPE)range: < 9.0.8~dev22-12.23.2
- (no CPE)range: < 12.0.5~dev2-14.28.2
- (no CPE)range: < 12.0.5~dev2-14.28.2
- (no CPE)range: < 9.1.8~dev8-12.23.2
- (no CPE)range: < 9.1.8~dev8-12.23.2
- (no CPE)range: < 12.0.4~dev5-11.24.2
- (no CPE)range: < 12.0.4~dev5-11.24.2
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.22.2
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.22.2
- (no CPE)range: < 5.1.1~dev2-12.25.2
- (no CPE)range: < 5.1.1~dev2-12.25.2
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.18.2
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.18.2
- (no CPE)range: < 2.2.2~dev1-11.20.2
- (no CPE)range: < 2.2.2~dev1-11.20.2
- (no CPE)range: < 4.0.2~dev2-12.18.2
- (no CPE)range: < 4.0.2~dev2-12.18.2
- (no CPE)range: < 11.0.9~dev60-13.26.2
- (no CPE)range: < 11.0.9~dev60-13.26.2
- (no CPE)range: < 16.1.9~dev49-11.24.2
- (no CPE)range: < 16.1.9~dev49-11.24.2
- (no CPE)range: < 1.0.6~dev3-12.23.2
- (no CPE)range: < 1.0.6~dev3-12.23.2
- (no CPE)range: < 7.0.5~dev4-11.22.2
- (no CPE)range: < 7.0.5~dev4-11.22.2
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.16.3
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.16.3
- (no CPE)range: < 8.0.2~dev2-11.22.2
- (no CPE)range: < 8.0.2~dev2-11.22.2
Http://haml.info//Hamlv5
Range: All versions prior to version 5.0.0.beta.2

Patches

18576ae6e9bd

Always escape `'` in Haml::Helpers.#html_escape.

https://github.com/haml/hamlTakashi KokubunFeb 8, 2017via ghsa

commit

5 files changed · +19 −19

lib/haml/helpers.rb+1 −1 modified

@@ -596,7 +596,7 @@ def haml_tag_if(condition, *tag)
     # Characters that need to be escaped to HTML entities from user input
     HTML_ESCAPE = { '&' => '&amp;', '<' => '&lt;', '>' => '&gt;', '"' => '&quot;', "'" => '&#039;' }
 
-    HTML_ESCAPE_REGEX = /[\"><&]/
+    HTML_ESCAPE_REGEX = /['"><&]/
 
     # Returns a copy of `text` with ampersands, angle brackets and quotes
     # escaped into HTML entities.

test/engine_test.rb+7 −7 modified

@@ -1127,8 +1127,8 @@ def test_doctypes
   def test_attr_wrapper
     assert_equal("<p strange=*attrs*></p>\n", render("%p{ :strange => 'attrs'}", :attr_wrapper => '*'))
     assert_equal("<p escaped='quo\"te'></p>\n", render("%p{ :escaped => 'quo\"te'}", :attr_wrapper => '"'))
-    assert_equal("<p escaped=\"quo'te\"></p>\n", render("%p{ :escaped => 'quo\\'te'}", :attr_wrapper => '"'))
-    assert_equal("<p escaped=\"q'uo&#x0022;te\"></p>\n", render("%p{ :escaped => 'q\\'uo\"te'}", :attr_wrapper => '"'))
+    assert_equal("<p escaped=\"quo&#039;te\"></p>\n", render("%p{ :escaped => 'quo\\'te'}", :attr_wrapper => '"'))
+    assert_equal("<p escaped='q&#039;uo\"te'></p>\n", render("%p{ :escaped => 'q\\'uo\"te'}", :attr_wrapper => '"'))
     assert_equal("<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n", render("!!! XML", :attr_wrapper => '"', :format => :xhtml))
   end
 
@@ -1534,7 +1534,7 @@ def test_html5_data_attributes_without_hyphenation
       render("%div{:data => {:one_plus_one => 1+1}}",
         :hyphenate_data_attrs => false))
 
-    assert_equal("<div data-foo='Here&#x0027;s a \"quoteful\" string.'></div>\n",
+    assert_equal("<div data-foo='Here&#039;s a \"quoteful\" string.'></div>\n",
       render(%{%div{:data => {:foo => %{Here's a "quoteful" string.}}}},
         :hyphenate_data_attrs => false)) #'
   end
@@ -1698,9 +1698,9 @@ def test_truthy_new_attributes
   def test_new_attribute_parsing
     assert_equal("<a a2='b2'>bar</a>\n", render("%a(a2=b2) bar", :locals => {:b2 => 'b2'}))
     assert_equal(%Q{<a a='foo"bar'>bar</a>\n}, render(%q{%a(a="#{'foo"bar'}") bar})) #'
-    assert_equal(%Q{<a a="foo'bar">bar</a>\n}, render(%q{%a(a="#{"foo'bar"}") bar})) #'
+    assert_equal(%Q{<a a='foo&#039;bar'>bar</a>\n}, render(%q{%a(a="#{"foo'bar"}") bar})) #'
     assert_equal(%Q{<a a='foo"bar'>bar</a>\n}, render(%q{%a(a='foo"bar') bar}))
-    assert_equal(%Q{<a a="foo'bar">bar</a>\n}, render(%q{%a(a="foo'bar") bar}))
+    assert_equal(%Q{<a a='foo&#039;bar'>bar</a>\n}, render(%q{%a(a="foo'bar") bar}))
     assert_equal("<a a:b='foo'>bar</a>\n", render("%a(a:b='foo') bar"))
     assert_equal("<a a='foo' b='bar'>bar</a>\n", render("%a(a = 'foo' b = 'bar') bar"))
     assert_equal("<a a='foo' b='bar'>bar</a>\n", render("%a(a = foo b = bar) bar", :locals => {:foo => 'foo', :bar => 'bar'}))
@@ -1713,8 +1713,8 @@ def test_new_attribute_escaping
     assert_equal(%Q{<a a='foo " bar'>bar</a>\n}, render(%q{%a(a="foo \" bar") bar}))
     assert_equal(%Q{<a a='foo \\" bar'>bar</a>\n}, render(%q{%a(a="foo \\\\\" bar") bar}))
 
-    assert_equal(%Q{<a a="foo ' bar">bar</a>\n}, render(%q{%a(a='foo \' bar') bar}))
-    assert_equal(%Q{<a a="foo \\' bar">bar</a>\n}, render(%q{%a(a='foo \\\\\' bar') bar}))
+    assert_equal(%Q{<a a='foo &#039; bar'>bar</a>\n}, render(%q{%a(a='foo \' bar') bar}))
+    assert_equal(%Q{<a a='foo \\&#039; bar'>bar</a>\n}, render(%q{%a(a='foo \\\\\' bar') bar}))
 
     assert_equal(%Q{<a a='foo \\ bar'>bar</a>\n}, render(%q{%a(a="foo \\\\ bar") bar}))
     assert_equal(%Q{<a a='foo \#{1 + 1} bar'>bar</a>\n}, render(%q{%a(a="foo \#{1 + 1} bar") bar}))

test/pretty_engine_test.rb+7 −7 modified

@@ -1129,8 +1129,8 @@ def test_doctypes
   def test_attr_wrapper
     assert_equal("<p strange=*attrs*></p>\n", render("%p{ :strange => 'attrs'}", :attr_wrapper => '*'))
     assert_equal("<p escaped='quo\"te'></p>\n", render("%p{ :escaped => 'quo\"te'}", :attr_wrapper => '"'))
-    assert_equal("<p escaped=\"quo'te\"></p>\n", render("%p{ :escaped => 'quo\\'te'}", :attr_wrapper => '"'))
-    assert_equal("<p escaped=\"q'uo&#x0022;te\"></p>\n", render("%p{ :escaped => 'q\\'uo\"te'}", :attr_wrapper => '"'))
+    assert_equal("<p escaped=\"quo&#039;te\"></p>\n", render("%p{ :escaped => 'quo\\'te'}", :attr_wrapper => '"'))
+    assert_equal("<p escaped='q&#039;uo\"te'></p>\n", render("%p{ :escaped => 'q\\'uo\"te'}", :attr_wrapper => '"'))
     assert_equal("<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n", render("!!! XML", :attr_wrapper => '"', :format => :xhtml))
   end
 
@@ -1527,7 +1527,7 @@ def test_html5_data_attributes_without_hyphenation
       render("%div{:data => {:one_plus_one => 1+1}}",
         :hyphenate_data_attrs => false))
 
-    assert_equal("<div data-foo='Here&#x0027;s a \"quoteful\" string.'></div>\n",
+    assert_equal("<div data-foo='Here&#039;s a \"quoteful\" string.'></div>\n",
       render(%{%div{:data => {:foo => %{Here's a "quoteful" string.}}}},
         :hyphenate_data_attrs => false)) #'
   end
@@ -1691,9 +1691,9 @@ def test_truthy_new_attributes
   def test_new_attribute_parsing
     assert_equal("<a a2='b2'>bar</a>\n", render("%a(a2=b2) bar", :locals => {:b2 => 'b2'}))
     assert_equal(%Q{<a a='foo"bar'>bar</a>\n}, render(%q{%a(a="#{'foo"bar'}") bar})) #'
-    assert_equal(%Q{<a a="foo'bar">bar</a>\n}, render(%q{%a(a="#{"foo'bar"}") bar})) #'
+    assert_equal(%Q{<a a='foo&#039;bar'>bar</a>\n}, render(%q{%a(a="#{"foo'bar"}") bar})) #'
     assert_equal(%Q{<a a='foo"bar'>bar</a>\n}, render(%q{%a(a='foo"bar') bar}))
-    assert_equal(%Q{<a a="foo'bar">bar</a>\n}, render(%q{%a(a="foo'bar") bar}))
+    assert_equal(%Q{<a a='foo&#039;bar'>bar</a>\n}, render(%q{%a(a="foo'bar") bar}))
     assert_equal("<a a:b='foo'>bar</a>\n", render("%a(a:b='foo') bar"))
     assert_equal("<a a='foo' b='bar'>bar</a>\n", render("%a(a = 'foo' b = 'bar') bar"))
     assert_equal("<a a='foo' b='bar'>bar</a>\n", render("%a(a = foo b = bar) bar", :locals => {:foo => 'foo', :bar => 'bar'}))
@@ -1706,8 +1706,8 @@ def test_new_attribute_escaping
     assert_equal(%Q{<a a='foo " bar'>bar</a>\n}, render(%q{%a(a="foo \" bar") bar}))
     assert_equal(%Q{<a a='foo \\" bar'>bar</a>\n}, render(%q{%a(a="foo \\\\\" bar") bar}))
 
-    assert_equal(%Q{<a a="foo ' bar">bar</a>\n}, render(%q{%a(a='foo \' bar') bar}))
-    assert_equal(%Q{<a a="foo \\' bar">bar</a>\n}, render(%q{%a(a='foo \\\\\' bar') bar}))
+    assert_equal(%Q{<a a='foo &#039; bar'>bar</a>\n}, render(%q{%a(a='foo \' bar') bar}))
+    assert_equal(%Q{<a a='foo \\&#039; bar'>bar</a>\n}, render(%q{%a(a='foo \\\\\' bar') bar}))
 
     assert_equal(%Q{<a a='foo \\ bar'>bar</a>\n}, render(%q{%a(a="foo \\\\ bar") bar}))
     assert_equal(%Q{<a a='foo \#{1 + 1} bar'>bar</a>\n}, render(%q{%a(a="foo \#{1 + 1} bar") bar}))

test/pretty_results/just_stuff.xhtml+2 −2 modified

@@ -6,7 +6,7 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
-<strong apos="Foo's bar!">Boo!</strong>
+<strong apos='Foo&#039;s bar!'>Boo!</strong>
 Embedded? false!
 Embedded? true!
 Embedded? true!
@@ -61,7 +61,7 @@ testtest
 <p class='article quux qux' id='article_1'>Blump</p>
 <p class='article' id='foo_bar_baz_article_1'>Whee</p>
 Woah inner quotes
-<p class='dynamic_quote' dyn='3' quotes="single '"></p>
+<p class='dynamic_quote' dyn='3' quotes='single &#039;'></p>
 <p class='dynamic_self_closing' dyn='3' />
 <body>
   hello

test/results/just_stuff.xhtml+2 −2 modified

@@ -6,7 +6,7 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
-<strong apos="Foo's bar!">Boo!</strong>
+<strong apos='Foo&#039;s bar!'>Boo!</strong>
 Embedded? false!
 Embedded? true!
 Embedded? true!
@@ -61,7 +61,7 @@ Nested content
 <p class='article quux qux' id='article_1'>Blump</p>
 <p class='article' id='foo_bar_baz_article_1'>Whee</p>
 Woah inner quotes
-<p class='dynamic_quote' dyn='3' quotes="single '"></p>
+<p class='dynamic_quote' dyn='3' quotes='single &#039;'></p>
 <p class='dynamic_self_closing' dyn='3' />
 <body>
 hello

Vulnerability mechanics

Root cause

"The Haml library failed to properly escape the single quote character when rendering user-provided input within HTML attributes."

Attack vector

An attacker can exploit this vulnerability by providing crafted input containing single quote characters to an application using Haml. By injecting these characters, an attacker can break out of the intended attribute context to introduce additional attributes. This manipulation can potentially lead to code execution depending on how the application processes the resulting HTML [patch_id=14865].

Affected code

The vulnerability exists in the Haml library, specifically in how it handles attribute escaping for user-provided input. The issue involves the failure to properly escape the single quote character (`'`) within attribute values. This flaw affects versions prior to 5.0.0.beta.2 [patch_id=14865].

What the fix does

The patch updates the escaping logic to include the single quote character (`'`) in the set of characters that are properly escaped when processing attributes. By ensuring that single quotes are transformed into their corresponding HTML entities, the patch prevents attackers from prematurely closing attribute values. This change effectively mitigates the risk of attribute injection [patch_id=14865].

Preconditions

configThe application must be using a version of Haml prior to 5.0.0.beta.2.
inputThe application must pass unsanitized user input into Haml templates where it is rendered as an HTML attribute.

Generated on May 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-r53w-g4xm-3gc6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-1002201ghsaADVISORY
security.gentoo.org/glsa/202007-27ghsavendor-advisoryx_refsource_GENTOOWEB
github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2ghsax_refsource_MISCWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/haml/CVE-2017-1002201.ymlghsaWEB
lists.debian.org/debian-lts-announce/2019/11/msg00007.htmlghsamailing-listx_refsource_MLISTWEB
lists.debian.org/debian-lts-announce/2021/12/msg00028.htmlghsamailing-listx_refsource_MLISTWEB
snyk.io/vuln/SNYK-RUBY-HAML-20362ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000