From deaa65660822e070294d6c2a7dfec286cbbdff56 Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Mon, 28 Mar 2022 18:36:56 +0900
Subject: [ruby/rdoc] Escape TIDYLINKs

https://hackerone.com/reports/1187156

https://github.com/ruby/rdoc/commit/1ad2dd3ca2
---
 test/rdoc/test_rdoc_markup_to_html.rb | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'test')

diff --git a/test/rdoc/test_rdoc_markup_to_html.rb b/test/rdoc/test_rdoc_markup_to_html.rb
index 02baf13512..8a38694c45 100644
--- a/test/rdoc/test_rdoc_markup_to_html.rb
+++ b/test/rdoc/test_rdoc_markup_to_html.rb
@@ -704,6 +704,23 @@ EXPECTED
     assert_equal "\n<p><a href=\"irc://irc.freenode.net/#ruby-lang\">ruby-lang</a></p>\n", result
   end
 
+  def test_convert_TIDYLINK_escape_text
+    assert_escaped '<script>', '{<script>alert`link text`</script>}[a]'
+    assert_escaped '<script>', 'x:/<script>alert(1);</script>[[]'
+  end
+
+  def test_convert_TIDYLINK_escape_javascript
+    assert_not_include '{click}[javascript:alert`javascript_scheme`]', '<a href="javascript:'
+  end
+
+  def test_convert_TIDYLINK_escape_onmouseover
+    assert_escaped '"/onmouseover="', '{onmouseover}[http://"/onmouseover="alert`on_mouse_link`"]'
+  end
+
+  def test_convert_TIDYLINK_escape_onerror
+    assert_escaped '"onerror="', '{link_image}[http://"onerror="alert`link_image`".png]'
+  end
+
   def test_convert_with_exclude_tag
     assert_equal "\n<p><code>aaa</code>[:symbol]</p>\n", @to.convert('+aaa+[:symbol]')
     assert_equal "\n<p><code>aaa[:symbol]</code></p>\n", @to.convert('+aaa[:symbol]+')
@@ -903,5 +920,11 @@ EXPECTED
     assert_include(res[%r<<td[^<>]*>.*em.*</td>>], '<em>em</em>')
     assert_include(res[%r<<td[^<>]*>.*strong.*</td>>], '<strong>strong</strong>')
   end
+
+  def assert_escaped(unexpected, code)
+    result = @to.convert(code)
+    assert_not_include result, unexpected
+    assert_include result, CGI.escapeHTML(unexpected)
+  end
 end
 
-- 
cgit v1.2.3