[ruby/rdoc] Escape HYPERLINKs

https://github.com/ruby/rdoc/commit/ac35485be6
author: Nobuyoshi Nakada <[email protected]> 2022-04-13 16:14:28 +0900
committer: git <[email protected]> 2022-10-07 12:09:22 +0900
commit: 586e18b94645b2d3181720d311fcd72b4bb2ca88 (patch)
tree: 96c93b2c982470508d99c9d40a5c36617b53e7f6
parent: 9e3ab9da7fe6d4910a48d808e582e825d7b7467d (diff)
2 files changed, 6 insertions, 1 deletions
diff --git a/lib/rdoc/markup/to_html.rb b/lib/rdoc/markup/to_html.rb
index ccafdb61ba..bf323074de 100644
--- a/lib/rdoc/markup/to_html.rb
+++ b/lib/rdoc/markup/to_html.rb
@@ -123,7 +123,7 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter
   #   Reference to a local file relative to the output directory.
 
   def handle_regexp_HYPERLINK(target)
-    url = target.text
+    url = CGI.escapeHTML(target.text)
 
     gen_url url, url
   end
diff --git a/test/rdoc/test_rdoc_markup_to_html.rb b/test/rdoc/test_rdoc_markup_to_html.rb
index 3e4a8e8915..d11c2a4ed7 100644
--- a/test/rdoc/test_rdoc_markup_to_html.rb
+++ b/test/rdoc/test_rdoc_markup_to_html.rb
@@ -836,6 +836,11 @@ EXPECTED
     assert_equal '<a href="irc://irc.freenode.net/#ruby-lang">irc.freenode.net/#ruby-lang</a>', link
   end
 
+  def test_handle_regexp_HYPERLINK_escape
+    code = 'irc://irc.freenode.net/"><script>alert(`irc`)</script><a"'
+    assert_escaped '<script>', code
+  end
+
   def test_list_verbatim_2
     str = "* one\n    verb1\n    verb2\n* two\n"
author	Nobuyoshi Nakada <[email protected]>	2022-04-13 16:14:28 +0900
committer	git <[email protected]>	2022-10-07 12:09:22 +0900
commit	586e18b94645b2d3181720d311fcd72b4bb2ca88 (patch)
tree	96c93b2c982470508d99c9d40a5c36617b53e7f6
parent	9e3ab9da7fe6d4910a48d808e582e825d7b7467d (diff)