summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--lib/rdoc/markup/to_html.rb8
-rw-r--r--test/rdoc/test_rdoc_markup_to_html.rb23
2 files changed, 29 insertions, 2 deletions
diff --git a/lib/rdoc/markup/to_html.rb b/lib/rdoc/markup/to_html.rb
index 61f14d3ab7..3c4f82f748 100644
--- a/lib/rdoc/markup/to_html.rb
+++ b/lib/rdoc/markup/to_html.rb
@@ -154,9 +154,13 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter
text =~ /^\{(.*)\}\[(.*?)\]$/ or text =~ /^(\S+)\[(.*?)\]$/
label = $1
- url = $2
+ url = CGI.escapeHTML($2)
- label = handle_RDOCLINK label if /^rdoc-image:/ =~ label
+ if /^rdoc-image:/ =~ label
+ label = handle_RDOCLINK(label)
+ else
+ label = CGI.escapeHTML(label)
+ end
gen_url url, label
end
diff --git a/test/rdoc/test_rdoc_markup_to_html.rb b/test/rdoc/test_rdoc_markup_to_html.rb
index 02baf13512..8a38694c45 100644
--- a/test/rdoc/test_rdoc_markup_to_html.rb
+++ b/test/rdoc/test_rdoc_markup_to_html.rb
@@ -704,6 +704,23 @@ EXPECTED
assert_equal "\n<p><a href=\"irc://irc.freenode.net/#ruby-lang\">ruby-lang</a></p>\n", result
end
+ def test_convert_TIDYLINK_escape_text
+ assert_escaped '<script>', '{<script>alert`link text`</script>}[a]'
+ assert_escaped '<script>', 'x:/<script>alert(1);</script>[[]'
+ end
+
+ def test_convert_TIDYLINK_escape_javascript
+ assert_not_include '{click}[javascript:alert`javascript_scheme`]', '<a href="javascript:'
+ end
+
+ def test_convert_TIDYLINK_escape_onmouseover
+ assert_escaped '"/onmouseover="', '{onmouseover}[http://"/onmouseover="alert`on_mouse_link`"]'
+ end
+
+ def test_convert_TIDYLINK_escape_onerror
+ assert_escaped '"onerror="', '{link_image}[http://"onerror="alert`link_image`".png]'
+ end
+
def test_convert_with_exclude_tag
assert_equal "\n<p><code>aaa</code>[:symbol]</p>\n", @to.convert('+aaa+[:symbol]')
assert_equal "\n<p><code>aaa[:symbol]</code></p>\n", @to.convert('+aaa[:symbol]+')
@@ -903,5 +920,11 @@ EXPECTED
assert_include(res[%r<<td[^<>]*>.*em.*</td>>], '<em>em</em>')
assert_include(res[%r<<td[^<>]*>.*strong.*</td>>], '<strong>strong</strong>')
end
+
+ def assert_escaped(unexpected, code)
+ result = @to.convert(code)
+ assert_not_include result, unexpected
+ assert_include result, CGI.escapeHTML(unexpected)
+ end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-20 02:51:14 +0000