From 8d0b2162a09183eb3d58a5a1d824b4daf16bf3c8 Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada Date: Wed, 13 Apr 2022 22:02:21 +0900 Subject: [PATCH] [ruby/rdoc] Escape main title https://hackerone.com/reports/1187156 https://github.com/ruby/rdoc/commit/5dedb5741d --- .../generator/template/darkfish/index.rhtml | 2 +- test/rdoc/test_rdoc_generator_darkfish.rb | 21 +++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/lib/rdoc/generator/template/darkfish/index.rhtml b/lib/rdoc/generator/template/darkfish/index.rhtml index 13fa3dcc7f..423e225b68 100644 --- a/lib/rdoc/generator/template/darkfish/index.rhtml +++ b/lib/rdoc/generator/template/darkfish/index.rhtml @@ -17,6 +17,6 @@ main_page = @files.find { |f| f.full_name == @options.main_page } then %> <%= main_page.description %> <%- else -%> -

This is the API documentation for <%= @title %>. +

This is the API documentation for <%= h @title %>. <%- end -%> diff --git a/test/rdoc/test_rdoc_generator_darkfish.rb b/test/rdoc/test_rdoc_generator_darkfish.rb index ae3a4c5ebf..1cee3e44ab 100644 --- a/test/rdoc/test_rdoc_generator_darkfish.rb +++ b/test/rdoc/test_rdoc_generator_darkfish.rb @@ -248,6 +248,22 @@ class TestRDocGeneratorDarkfish < RDoc::TestCase assert_include File.read('index.html'), %Q[href="./#{base}"] end + def test_title + title = "RDoc Test".freeze + @options.title = title + @g.generate + + assert_main_title(File.read('index.html'), title) + end + + def test_title_escape + title = %[].freeze + @options.title = title + @g.generate + + assert_main_title(File.read('index.html'), title) + end + ## # Asserts that +filename+ has a link count greater than 1 if hard links to # @tmpdir are supported. @@ -271,4 +287,9 @@ class TestRDocGeneratorDarkfish < RDoc::TestCase "#{filename} is not hard-linked" end + def assert_main_title(content, title) + title = CGI.escapeHTML(title) + assert_equal(title, content[%r[(.*?)<\/title>]im, 1]) + assert_include(content[%r[<main\s[^<>]*+>\s*(.*?)</main>]im, 1], title) + end end