[ruby/rdoc] Escape main title

https://hackerone.com/reports/1187156

https://github.com/ruby/rdoc/commit/5dedb5741d

2 files changed, 22 insertions, 1 deletions

diff --git a/lib/rdoc/generator/template/darkfish/index.rhtml b/lib/rdoc/generator/template/darkfish/index.rhtml
index 13fa3dcc7f..423e225b68 100644
--- a/lib/rdoc/generator/template/darkfish/index.rhtml
+++ b/lib/rdoc/generator/template/darkfish/index.rhtml
@@ -17,6 +17,6 @@
       main_page = @files.find { |f| f.full_name == @options.main_page } then %>
 <%= main_page.description %>
 <%- else -%>
-<p>This is the API documentation for <%= @title %>.
+<p>This is the API documentation for <%= h @title %>.
 <%- end -%>
 </main>
diff --git a/test/rdoc/test_rdoc_generator_darkfish.rb b/test/rdoc/test_rdoc_generator_darkfish.rb
index ae3a4c5ebf..1cee3e44ab 100644
--- a/test/rdoc/test_rdoc_generator_darkfish.rb
+++ b/test/rdoc/test_rdoc_generator_darkfish.rb
@@ -248,6 +248,22 @@ class TestRDocGeneratorDarkfish < RDoc::TestCase
     assert_include File.read('index.html'), %Q[href="./#{base}"]
   end
 
+  def test_title
+    title = "RDoc Test".freeze
+    @options.title = title
+    @g.generate
+
+    assert_main_title(File.read('index.html'), title)
+  end
+
+  def test_title_escape
+    title = %[<script>alert("RDoc")</script>].freeze
+    @options.title = title
+    @g.generate
+
+    assert_main_title(File.read('index.html'), title)
+  end
+
   ##
   # Asserts that +filename+ has a link count greater than 1 if hard links to
   # @tmpdir are supported.
@@ -271,4 +287,9 @@ class TestRDocGeneratorDarkfish < RDoc::TestCase
                     "#{filename} is not hard-linked"
   end
 
+  def assert_main_title(content, title)
+    title = CGI.escapeHTML(title)
+    assert_equal(title, content[%r[<title>(.*?)<\/title>]im, 1])
+    assert_include(content[%r[<main\s[^<>]*+>\s*(.*?)</main>]im, 1], title)
+  end
 end