1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[ruby/rdoc] Escape RDOCLINKs

Browse Source 
https://hackerone.com/reports/1187156

https://github.com/ruby/rdoc/commit/7cecf1efae
This commit is contained in:
Nobuyoshi Nakada 2022-04-13 16:14:07 +09:00 committed by git
parent deaa656608
commit 9e3ab9da7f
2 changed files with 30 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/rdoc/markup/to_html.rb
View File

@ -84,7 +84,7 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter
def handle_RDOCLINK url # :nodoc: def handle_RDOCLINK url # :nodoc:
case url case url
when /^rdoc-ref:/ when /^rdoc-ref:/
$' CGI.escapeHTML($')
when /^rdoc-label:/ when /^rdoc-label:/
text = $' text = $'
@ -95,13 +95,11 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter
else text else text
end end
gen_url url, text gen_url CGI.escapeHTML(url), CGI.escapeHTML(text)
when /^rdoc-image:/ when /^rdoc-image:/
"<img src=\"#{$'}\">" %[<img src=\"#{CGI.escapeHTML($')}\">]
else when /\Ardoc-[a-z]+:/
url =~ /\Ardoc-[a-z]+:/ CGI.escapeHTML($')
$'
end end
end end

25
test/rdoc/test_rdoc_markup_to_html.rb
View File

@ -665,6 +665,26 @@ EXPECTED
assert_equal "\n<p>C</p>\n", result assert_equal "\n<p>C</p>\n", result
end end
def test_convert_RDOCLINK_escape_image
assert_escaped '<script>', 'rdoc-image:"><script>alert(`rdoc-image`)</script>"'
end
def test_convert_RDOCLINK_escape_label_id
assert_escaped '<script>', 'rdoc-label::path::"><script>alert(`rdoc-label_id`)</script>"'
end
def test_convert_RDOCLINK_escape_label_path
assert_escaped '<script>', 'rdoc-label::"><script>alert(`rdoc-label_path`)</script>"'
end
def test_convert_RDOCLINK_escape_ref
assert_escaped '<script>', 'rdoc-ref:"><script>alert(`rdoc-ref`)</script>"'
end
def test_convert_RDOCLINK_escape_xxx
assert_escaped '<script>', 'rdoc-xxx:"><script>alert(`rdoc-xxx`)</script>"'
end
def test_convert_TIDYLINK_footnote def test_convert_TIDYLINK_footnote
result = @to.convert 'text{*1}[rdoc-label:foottext-1:footmark-1]' result = @to.convert 'text{*1}[rdoc-label:foottext-1:footmark-1]'
@ -690,6 +710,11 @@ EXPECTED
"\n<p><a href=\"http://example.com\"><img src=\"path/to/image.jpg\"></a></p>\n" "\n<p><a href=\"http://example.com\"><img src=\"path/to/image.jpg\"></a></p>\n"
assert_equal expected, result assert_equal expected, result
result =
@to.convert '{rdoc-image:<script>alert`link text`</script>}[http://example.com]'
assert_not_include result, "<script>"
end end
def test_convert_TIDYLINK_rdoc_label def test_convert_TIDYLINK_rdoc_label