1 files changed, 136 insertions, 5 deletions

diff --git a/test/rdoc/test_rdoc_markup_to_html.rb b/test/rdoc/test_rdoc_markup_to_html.rb
index e5d7a35710..e3affa533c 100644
--- a/test/rdoc/test_rdoc_markup_to_html.rb
+++ b/test/rdoc/test_rdoc_markup_to_html.rb
@@ -391,11 +391,43 @@ class TestRDocMarkupToHtml < RDoc::Markup::FormatterTestCase
   end
 
   def test_accept_paragraph_newline
+    hellos = ["hello", "\u{393 3b5 3b9 3ac} \u{3c3 3bf 3c5}"]
+    worlds = ["world", "\u{3ba 3cc 3c3 3bc 3bf 3c2}"]
+    ohayo, sekai = %W"\u{304a 306f 3088 3046} \u{4e16 754c}"
+
+    hellos.product(worlds) do |hello, world|
+      @to.start_accepting
+      @to.accept_paragraph para("#{hello}\n", "#{world}\n")
+      assert_equal "\n<p>#{hello} #{world}</p>\n", @to.res.join
+    end
+
+    hellos.each do |hello|
+      @to.start_accepting
+      @to.accept_paragraph para("#{hello}\n", "#{sekai}\n")
+      assert_equal "\n<p>#{hello}#{sekai}</p>\n", @to.res.join
+    end
+
+    worlds.each do |world|
+      @to.start_accepting
+      @to.accept_paragraph para("#{ohayo}\n", "#{world}\n")
+      assert_equal "\n<p>#{ohayo}#{world}</p>\n", @to.res.join
+    end
+
     @to.start_accepting
+    @to.accept_paragraph para("#{ohayo}\n", "#{sekai}\n")
+    assert_equal "\n<p>#{ohayo}#{sekai}</p>\n", @to.res.join
 
-    @to.accept_paragraph para("hello\n", "world\n")
+    @to.start_accepting
+    @to.accept_paragraph para("+hello+\n", "world\n")
+    assert_equal "\n<p><code>hello</code> world</p>\n", @to.res.join
+
+    @to.start_accepting
+    @to.accept_paragraph para("hello\n", "+world+\n")
+    assert_equal "\n<p>hello <code>world</code></p>\n", @to.res.join
 
-    assert_equal "\n<p>hello world </p>\n", @to.res.join
+    @to.start_accepting
+    @to.accept_paragraph para("+hello+\n", "+world+\n")
+    assert_equal "\n<p><code>hello</code> <code>world</code></p>\n", @to.res.join
   end
 
   def test_accept_heading_output_decoration
@@ -602,9 +634,9 @@ end
   end
 
   def test_accept_verbatim_redefinable_operators
-    functions = %w[| ^ & <=> == === =~ > >= < <= << >> + - * / % ** ~ +@ -@ [] []= ` !  != !~].map { |redefinable_op|
+    functions = %w[| ^ & <=> == === =~ > >= < <= << >> + - * / % ** ~ +@ -@ [] []= ` !  != !~].flat_map { |redefinable_op|
       ["def #{redefinable_op}\n", "end\n"]
-    }.flatten
+    }
 
     verb = @RM::Verbatim.new(*functions)
 
@@ -665,6 +697,26 @@ EXPECTED
     assert_equal "\n<p>C</p>\n", result
   end
 
+  def test_convert_RDOCLINK_escape_image
+    assert_escaped '<script>', 'rdoc-image:"><script>alert(`rdoc-image`)</script>"'
+  end
+
+  def test_convert_RDOCLINK_escape_label_id
+    assert_escaped '<script>', 'rdoc-label::path::"><script>alert(`rdoc-label_id`)</script>"'
+  end
+
+  def test_convert_RDOCLINK_escape_label_path
+    assert_escaped '<script>', 'rdoc-label::"><script>alert(`rdoc-label_path`)</script>"'
+  end
+
+  def test_convert_RDOCLINK_escape_ref
+    assert_escaped '<script>', 'rdoc-ref:"><script>alert(`rdoc-ref`)</script>"'
+  end
+
+  def test_convert_RDOCLINK_escape_xxx
+    assert_escaped '<script>', 'rdoc-xxx:"><script>alert(`rdoc-xxx`)</script>"'
+  end
+
   def test_convert_TIDYLINK_footnote
     result = @to.convert 'text{*1}[rdoc-label:foottext-1:footmark-1]'
 
@@ -690,6 +742,11 @@ EXPECTED
       "\n<p><a href=\"http://example.com\"><img src=\"path/to/image.jpg\"></a></p>\n"
 
     assert_equal expected, result
+
+    result =
+      @to.convert '{rdoc-image:<script>alert`link text`</script>}[http://example.com]'
+
+    assert_not_include result, "<script>"
   end
 
   def test_convert_TIDYLINK_rdoc_label
@@ -704,6 +761,23 @@ EXPECTED
     assert_equal "\n<p><a href=\"irc://irc.freenode.net/#ruby-lang\">ruby-lang</a></p>\n", result
   end
 
+  def test_convert_TIDYLINK_escape_text
+    assert_escaped '<script>', '{<script>alert`link text`</script>}[a]'
+    assert_escaped '<script>', 'x:/<script>alert(1);</script>[[]'
+  end
+
+  def test_convert_TIDYLINK_escape_javascript
+    assert_not_include '{click}[javascript:alert`javascript_scheme`]', '<a href="javascript:'
+  end
+
+  def test_convert_TIDYLINK_escape_onmouseover
+    assert_escaped '"/onmouseover="', '{onmouseover}[http://"/onmouseover="alert`on_mouse_link`"]'
+  end
+
+  def test_convert_TIDYLINK_escape_onerror
+    assert_escaped '"onerror="', '{link_image}[http://"onerror="alert`link_image`".png]'
+  end
+
   def test_convert_with_exclude_tag
     assert_equal "\n<p><code>aaa</code>[:symbol]</p>\n", @to.convert('+aaa+[:symbol]')
     assert_equal "\n<p><code>aaa[:symbol]</code></p>\n", @to.convert('+aaa[:symbol]+')
@@ -794,6 +868,11 @@ EXPECTED
     assert_equal '<a href="irc://irc.freenode.net/#ruby-lang">irc.freenode.net/#ruby-lang</a>', link
   end
 
+  def test_handle_regexp_HYPERLINK_escape
+    code = 'irc://irc.freenode.net/"><script>alert(`irc`)</script><a"'
+    assert_escaped '<script>', code
+  end
+
   def test_list_verbatim_2
     str = "* one\n    verb1\n    verb2\n* two\n"
 
@@ -812,6 +891,26 @@ EXPECTED
     assert_equal expected, @m.convert(str, @to)
   end
 
+  def test_block_quote_in_verbatim
+    str = "BlockQuote\n  >>>\n"
+
+    expected = <<-EXPECTED
+<p>BlockQuote</p>
+<pre>&gt;&gt;&gt;</pre>
+    EXPECTED
+
+    assert_equal expected, @m.convert(str, @to).gsub(/^\n/, "")
+
+    str = "BlockQuote\n  >>>  word\n"
+
+    expected = <<-EXPECTED
+<p>BlockQuote</p>
+<pre>&gt;&gt;&gt;  word</pre>
+    EXPECTED
+
+    assert_equal expected, @m.convert(str, @to).gsub(/^\n/, "")
+  end
+
   def test_parseable_eh
     valid_syntax = [
       'def x() end',
@@ -856,5 +955,37 @@ EXPECTED
     @to.end_accepting
   end
 
+  def test_accept_table
+    header = %w[Col1 Col2 Col3]
+    body = [
+      %w[cell1_1 cell1_2 cell1_3],
+      %w[cell2_1 cell2_2 cell2_3],
+      ['<script>alert("foo");</script>',],
+      %w[+code+ _em_ **strong**],
+    ]
+    aligns = [:left, :right, nil]
+    @to.start_accepting
+    @to.accept_table(header, body, aligns)
+    res = @to.end_accepting
+    assert_include(res[%r<<th[^<>]*>Col1</th>>], 'align="left"')
+    assert_include(res[%r<<th[^<>]*>Col2</th>>], 'align="right"')
+    assert_not_include(res[%r<<th[^<>]*>Col3</th>>], 'align=')
+    assert_include(res[%r<<td[^<>]*>cell1_1</td>>], 'align="left"')
+    assert_include(res[%r<<td[^<>]*>cell1_2</td>>], 'align="right"')
+    assert_not_include(res[%r<<td[^<>]*>cell1_3</td>>], 'align=')
+    assert_include(res[%r<<td[^<>]*>cell2_1</td>>], 'align="left"')
+    assert_include(res[%r<<td[^<>]*>cell2_2</td>>], 'align="right"')
+    assert_not_include(res[%r<<td[^<>]*>cell2_3</td>>], 'align=')
+    assert_not_include(res, '<script>')
+    assert_include(res[%r<<td[^<>]*>.*script.*</td>>], '&lt;script&gt;')
+    assert_include(res[%r<<td[^<>]*>.*code.*</td>>], '<code>code</code>')
+    assert_include(res[%r<<td[^<>]*>.*em.*</td>>], '<em>em</em>')
+    assert_include(res[%r<<td[^<>]*>.*strong.*</td>>], '<strong>strong</strong>')
+  end
+
+  def assert_escaped(unexpected, code)
+    result = @to.convert(code)
+    assert_not_include result, unexpected
+    assert_include result, CGI.escapeHTML(unexpected)
+  end
 end
-