diff options
| author | nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-12-21 20:40:02 +0000 |
|---|---|---|
| committer | nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-12-21 20:40:02 +0000 |
| commit | 1b107d48ef2f67a48cb974890c2944381fd4ee4a (patch) | |
| tree | 8d4e572e45bdb120ed8580f232e794d3cc65d28b | |
| parent | 8e4c5d3ab156c253cea00890230db50e1de611c7 (diff) | |
escape.c: Preserve original state
* ext/cgi/escape/escape.c (preserve_original_state): Preserve
original state for tainted and frozen. [Fix GH-1166]
[ruby-dev:49451] [Bug #11855]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53233 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | ext/cgi/escape/escape.c | 10 | ||||
| -rw-r--r-- | test/cgi/test_cgi_util.rb | 10 |
3 files changed, 25 insertions, 1 deletions
@@ -1,3 +1,9 @@ +Tue Dec 22 05:39:58 2015 Takashi Kokubun <[email protected]> + + * ext/cgi/escape/escape.c (preserve_original_state): Preserve + original state for tainted and frozen. [Fix GH-1166] + [ruby-dev:49451] [Bug #11855] + Tue Dec 22 03:57:20 2015 Eric Wong <[email protected]> * ext/socket/init.c (rsock_init_sock): check FD after validating diff --git a/ext/cgi/escape/escape.c b/ext/cgi/escape/escape.c index 6fec95af04..939b054ad2 100644 --- a/ext/cgi/escape/escape.c +++ b/ext/cgi/escape/escape.c @@ -25,6 +25,14 @@ html_escaped_cat(VALUE str, char c) } } +static inline void +preserve_original_state(VALUE orig, VALUE dest) +{ + rb_enc_associate(dest, rb_enc_get(orig)); + + FL_SET_RAW(dest, FL_TEST_RAW(orig, FL_FREEZE|FL_TAINT)); +} + static VALUE optimized_escape_html(VALUE str) { @@ -57,7 +65,7 @@ optimized_escape_html(VALUE str) if (modified) { rb_str_cat(dest, cstr + beg, len - beg); - rb_enc_associate(dest, rb_enc_get(str)); + preserve_original_state(str, dest); return dest; } else { diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb index d30c9bd79c..08c2ed2056 100644 --- a/test/cgi/test_cgi_util.rb +++ b/test/cgi/test_cgi_util.rb @@ -68,6 +68,16 @@ class CGIUtilTest < Test::Unit::TestCase assert_equal(Encoding::UTF_8, CGI::escapeHTML("'&\"><".force_encoding("UTF-8")).encoding) end + def test_cgi_escape_html_preserve_tainted + assert_equal(false, CGI::escapeHTML("'&\"><").tainted?) + assert_equal(true, CGI::escapeHTML("'&\"><".taint).tainted?) + end + + def test_cgi_escape_html_preserve_frozen + assert_equal(false, CGI::escapeHTML("'&\"><".dup).frozen?) + assert_equal(true, CGI::escapeHTML("'&\"><".freeze).frozen?) + end + def test_cgi_unescapeHTML assert_equal("'&\"><", CGI::unescapeHTML("'&"><")) end |