From deaa65660822e070294d6c2a7dfec286cbbdff56 Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada Date: Mon, 28 Mar 2022 18:36:56 +0900 Subject: [PATCH] [ruby/rdoc] Escape TIDYLINKs https://hackerone.com/reports/1187156 https://github.com/ruby/rdoc/commit/1ad2dd3ca2 --- lib/rdoc/markup/to_html.rb | 8 ++++++-- test/rdoc/test_rdoc_markup_to_html.rb | 23 +++++++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/lib/rdoc/markup/to_html.rb b/lib/rdoc/markup/to_html.rb index 61f14d3ab7..3c4f82f748 100644 --- a/lib/rdoc/markup/to_html.rb +++ b/lib/rdoc/markup/to_html.rb @@ -154,9 +154,13 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter text =~ /^\{(.*)\}\[(.*?)\]$/ or text =~ /^(\S+)\[(.*?)\]$/ label = $1 - url = $2 + url = CGI.escapeHTML($2) - label = handle_RDOCLINK label if /^rdoc-image:/ =~ label + if /^rdoc-image:/ =~ label + label = handle_RDOCLINK(label) + else + label = CGI.escapeHTML(label) + end gen_url url, label end diff --git a/test/rdoc/test_rdoc_markup_to_html.rb b/test/rdoc/test_rdoc_markup_to_html.rb index 02baf13512..8a38694c45 100644 --- a/test/rdoc/test_rdoc_markup_to_html.rb +++ b/test/rdoc/test_rdoc_markup_to_html.rb @@ -704,6 +704,23 @@ EXPECTED assert_equal "\n

ruby-lang

\n", result end + def test_convert_TIDYLINK_escape_text + assert_escaped '}[a]' + assert_escaped '[[]' + end + + def test_convert_TIDYLINK_escape_javascript + assert_not_include '{click}[javascript:alert`javascript_scheme`]', 'aaa[:symbol]

\n", @to.convert('+aaa+[:symbol]') assert_equal "\n

aaa[:symbol]

\n", @to.convert('+aaa[:symbol]+') @@ -903,5 +920,11 @@ EXPECTED assert_include(res[%r<]*>.*em.*>], 'em') assert_include(res[%r<]*>.*strong.*>], 'strong') end + + def assert_escaped(unexpected, code) + result = @to.convert(code) + assert_not_include result, unexpected + assert_include result, CGI.escapeHTML(unexpected) + end end