1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[ruby/rdoc] Escape file names

Browse Source 
https://hackerone.com/reports/1321358

https://github.com/ruby/rdoc/commit/8c07cc4657
This commit is contained in:
Nobuyoshi Nakada 2021-08-28 17:41:47 +09:00 committed by git
parent 8d0b2162a0
commit a3cb09c7d1
3 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml
View File

@ -12,18 +12,18 @@
<%- end.each do |n, files| -%>
<%- f = files.shift -%>
<%- if files.empty? -%>
<li><a href="<%= rel_prefix %>/<%= f.path %>"><%= h f.page_name %></a>
<li><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h f.page_name %></a>
<%- next -%>
<%- end -%>
<li><details<% if dir == n %> open<% end %>><summary><%
if n == f.page_name
%><a href="<%= rel_prefix %>/<%= f.path %>"><%= h n %></a><%
%><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h n %></a><%
else
%><%= h n %><% files.unshift(f)
end %></summary>
<ul class="link-list">
<%- files.each do |f| -%>
<li><a href="<%= rel_prefix %>/<%= f.path %>"><%= h f.page_name %></a>
<li><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h f.page_name %></a>
<%- end -%>
</ul></details>
<%- end -%>

4
lib/rdoc/generator/template/darkfish/table_of_contents.rhtml
View File

@ -8,14 +8,14 @@
<ul>
<%- simple_files.sort.each do |file| -%>
<li class="file">
<a href="<%= file.path %>"><%= h file.page_name %></a>
<a href="<%= h file.path %>"><%= h file.page_name %></a>
<%
# HACK table_of_contents should not exist on Document
table = file.parse(file.comment).table_of_contents
unless table.empty? then %>
<ul>
<%- table.each do |heading| -%>
<li><a href="<%= file.path %>#<%= heading.aref %>"><%= heading.plain_html %></a>
<li><a href="<%= h file.path %>#<%= heading.aref %>"><%= heading.plain_html %></a>
<%- end -%>
</ul>
<%- end -%>

14
test/rdoc/test_rdoc_generator_darkfish.rb
View File

@ -233,6 +233,20 @@ class TestRDocGeneratorDarkfish < RDoc::TestCase
assert_includes method_name, '{ |%&lt;&lt;script&gt;alert(&quot;atui&quot;)&lt;/script&gt;&gt;, yield_arg| ... }'
end
def test_generated_filename_with_html_tag
@store.add_file '"><em>should be escaped'
doc = @store.all_files.last
doc.parser = RDoc::Parser::Simple
@g.generate
Dir.glob("*.html", base: @tmpdir) do |html|
File.read(File.join(@tmpdir, html)).scan(/.*should be escaped.*/) do |line|
assert_not_include line, "<em>", html
end
end
end
def test_template_stylesheets
css = Tempfile.create(%W'hoge .css', Dir.mktmpdir('tmp', '.'))
File.write(css, '')