diff options
| author | Nobuyoshi Nakada <nobu@ruby-lang.org> | 2022-04-13 16:14:07 +0900 |
|---|---|---|
| committer | git <svn-admin@ruby-lang.org> | 2022-10-07 12:09:21 +0900 |
| commit | 9e3ab9da7fe6d4910a48d808e582e825d7b7467d (patch) | |
| tree | b21e32a14625d4eeb7ce389398e7818171e5aacd | |
| parent | deaa65660822e070294d6c2a7dfec286cbbdff56 (diff) | |
[ruby/rdoc] Escape RDOCLINKs
https://hackerone.com/reports/1187156
https://github.com/ruby/rdoc/commit/7cecf1efae
| -rw-r--r-- | lib/rdoc/markup/to_html.rb | 12 | ||||
| -rw-r--r-- | test/rdoc/test_rdoc_markup_to_html.rb | 25 |
2 files changed, 30 insertions, 7 deletions
diff --git a/lib/rdoc/markup/to_html.rb b/lib/rdoc/markup/to_html.rb index 3c4f82f748..ccafdb61ba 100644 --- a/lib/rdoc/markup/to_html.rb +++ b/lib/rdoc/markup/to_html.rb @@ -84,7 +84,7 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter def handle_RDOCLINK url # :nodoc: case url when /^rdoc-ref:/ - $' + CGI.escapeHTML($') when /^rdoc-label:/ text = $' @@ -95,13 +95,11 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter else text end - gen_url url, text + gen_url CGI.escapeHTML(url), CGI.escapeHTML(text) when /^rdoc-image:/ - "<img src=\"#{$'}\">" - else - url =~ /\Ardoc-[a-z]+:/ - - $' + %[<img src=\"#{CGI.escapeHTML($')}\">] + when /\Ardoc-[a-z]+:/ + CGI.escapeHTML($') end end diff --git a/test/rdoc/test_rdoc_markup_to_html.rb b/test/rdoc/test_rdoc_markup_to_html.rb index 8a38694c45..3e4a8e8915 100644 --- a/test/rdoc/test_rdoc_markup_to_html.rb +++ b/test/rdoc/test_rdoc_markup_to_html.rb @@ -665,6 +665,26 @@ EXPECTED assert_equal "\n<p>C</p>\n", result end + def test_convert_RDOCLINK_escape_image + assert_escaped '<script>', 'rdoc-image:"><script>alert(`rdoc-image`)</script>"' + end + + def test_convert_RDOCLINK_escape_label_id + assert_escaped '<script>', 'rdoc-label::path::"><script>alert(`rdoc-label_id`)</script>"' + end + + def test_convert_RDOCLINK_escape_label_path + assert_escaped '<script>', 'rdoc-label::"><script>alert(`rdoc-label_path`)</script>"' + end + + def test_convert_RDOCLINK_escape_ref + assert_escaped '<script>', 'rdoc-ref:"><script>alert(`rdoc-ref`)</script>"' + end + + def test_convert_RDOCLINK_escape_xxx + assert_escaped '<script>', 'rdoc-xxx:"><script>alert(`rdoc-xxx`)</script>"' + end + def test_convert_TIDYLINK_footnote result = @to.convert 'text{*1}[rdoc-label:foottext-1:footmark-1]' @@ -690,6 +710,11 @@ EXPECTED "\n<p><a href=\"http://example.com\"><img src=\"path/to/image.jpg\"></a></p>\n" assert_equal expected, result + + result = + @to.convert '{rdoc-image:<script>alert`link text`</script>}[http://example.com]' + + assert_not_include result, "<script>" end def test_convert_TIDYLINK_rdoc_label |