From a3cb09c7d17f2626ebd6eae774f0425d602ed95b Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Sat, 28 Aug 2021 17:41:47 +0900
Subject: [PATCH] [ruby/rdoc] Escape file names

https://hackerone.com/reports/1321358

https://github.com/ruby/rdoc/commit/8c07cc4657
---
 .../template/darkfish/_sidebar_pages.rhtml         |  6 +++---
 .../template/darkfish/table_of_contents.rhtml      |  4 ++--
 test/rdoc/test_rdoc_generator_darkfish.rb          | 14 ++++++++++++++
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml b/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml
index 0ed683ca14..3f68f0c0dc 100644
--- a/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml
+++ b/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml
@@ -12,18 +12,18 @@
   <%- end.each do |n, files| -%>
     <%- f = files.shift -%>
     <%- if files.empty? -%>
-    <li><a href="<%= rel_prefix %>/<%= f.path %>"><%= h f.page_name %></a>
+    <li><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h f.page_name %></a>
       <%- next -%>
     <%- end -%>
     <li><details<% if dir == n %> open<% end %>><summary><%
     if n == f.page_name
-      %><a href="<%= rel_prefix %>/<%= f.path %>"><%= h n %></a><%
+      %><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h n %></a><%
     else
       %><%= h n %><% files.unshift(f)
     end %></summary>
     <ul class="link-list">
     <%- files.each do |f| -%>
-      <li><a href="<%= rel_prefix %>/<%= f.path %>"><%= h f.page_name %></a>
+      <li><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h f.page_name %></a>
     <%- end -%>
     </ul></details>
   <%- end -%>
diff --git a/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml b/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml
index 303d7016cc..941ff9d630 100644
--- a/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml
+++ b/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml
@@ -8,14 +8,14 @@
 <ul>
 <%- simple_files.sort.each do |file| -%>
   <li class="file">
-    <a href="<%= file.path %>"><%= h file.page_name %></a>
+    <a href="<%= h file.path %>"><%= h file.page_name %></a>
 <%
    # HACK table_of_contents should not exist on Document
    table = file.parse(file.comment).table_of_contents
    unless table.empty? then %>
     <ul>
 <%- table.each do |heading| -%>
-      <li><a href="<%= file.path %>#<%= heading.aref %>"><%= heading.plain_html %></a>
+      <li><a href="<%= h file.path %>#<%= heading.aref %>"><%= heading.plain_html %></a>
 <%-   end -%>
     </ul>
 <%- end -%>
diff --git a/test/rdoc/test_rdoc_generator_darkfish.rb b/test/rdoc/test_rdoc_generator_darkfish.rb
index 1cee3e44ab..140cf0916b 100644
--- a/test/rdoc/test_rdoc_generator_darkfish.rb
+++ b/test/rdoc/test_rdoc_generator_darkfish.rb
@@ -233,6 +233,20 @@ class TestRDocGeneratorDarkfish < RDoc::TestCase
     assert_includes method_name, '{ |%&lt;&lt;script&gt;alert(&quot;atui&quot;)&lt;/script&gt;&gt;, yield_arg| ... }'
   end
 
+  def test_generated_filename_with_html_tag
+    @store.add_file '"><em>should be escaped'
+    doc = @store.all_files.last
+    doc.parser = RDoc::Parser::Simple
+
+    @g.generate
+
+    Dir.glob("*.html", base: @tmpdir) do |html|
+      File.read(File.join(@tmpdir, html)).scan(/.*should be escaped.*/) do |line|
+        assert_not_include line, "<em>", html
+      end
+    end
+  end
+
   def test_template_stylesheets
     css = Tempfile.create(%W'hoge .css', Dir.mktmpdir('tmp', '.'))
     File.write(css, '')