diff options
| author | Nobuyoshi Nakada <[email protected]> | 2022-03-28 18:36:56 +0900 |
|---|---|---|
| committer | git <[email protected]> | 2022-10-07 12:09:20 +0900 |
| commit | deaa65660822e070294d6c2a7dfec286cbbdff56 (patch) | |
| tree | a3b282f3a4dde05872caa7e10a5717238fdf9790 | |
| parent | 0472effc41918f85c17e11885595ff810955e626 (diff) | |
[ruby/rdoc] Escape TIDYLINKs
https://hackerone.com/reports/1187156
https://github.com/ruby/rdoc/commit/1ad2dd3ca2
| -rw-r--r-- | lib/rdoc/markup/to_html.rb | 8 | ||||
| -rw-r--r-- | test/rdoc/test_rdoc_markup_to_html.rb | 23 |
2 files changed, 29 insertions, 2 deletions
diff --git a/lib/rdoc/markup/to_html.rb b/lib/rdoc/markup/to_html.rb index 61f14d3ab7..3c4f82f748 100644 --- a/lib/rdoc/markup/to_html.rb +++ b/lib/rdoc/markup/to_html.rb @@ -154,9 +154,13 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter text =~ /^\{(.*)\}\[(.*?)\]$/ or text =~ /^(\S+)\[(.*?)\]$/ label = $1 - url = $2 + url = CGI.escapeHTML($2) - label = handle_RDOCLINK label if /^rdoc-image:/ =~ label + if /^rdoc-image:/ =~ label + label = handle_RDOCLINK(label) + else + label = CGI.escapeHTML(label) + end gen_url url, label end diff --git a/test/rdoc/test_rdoc_markup_to_html.rb b/test/rdoc/test_rdoc_markup_to_html.rb index 02baf13512..8a38694c45 100644 --- a/test/rdoc/test_rdoc_markup_to_html.rb +++ b/test/rdoc/test_rdoc_markup_to_html.rb @@ -704,6 +704,23 @@ EXPECTED assert_equal "\n<p><a href=\"irc://irc.freenode.net/#ruby-lang\">ruby-lang</a></p>\n", result end + def test_convert_TIDYLINK_escape_text + assert_escaped '<script>', '{<script>alert`link text`</script>}[a]' + assert_escaped '<script>', 'x:/<script>alert(1);</script>[[]' + end + + def test_convert_TIDYLINK_escape_javascript + assert_not_include '{click}[javascript:alert`javascript_scheme`]', '<a href="javascript:' + end + + def test_convert_TIDYLINK_escape_onmouseover + assert_escaped '"/onmouseover="', '{onmouseover}[http://"/onmouseover="alert`on_mouse_link`"]' + end + + def test_convert_TIDYLINK_escape_onerror + assert_escaped '"onerror="', '{link_image}[http://"onerror="alert`link_image`".png]' + end + def test_convert_with_exclude_tag assert_equal "\n<p><code>aaa</code>[:symbol]</p>\n", @to.convert('+aaa+[:symbol]') assert_equal "\n<p><code>aaa[:symbol]</code></p>\n", @to.convert('+aaa[:symbol]+') @@ -903,5 +920,11 @@ EXPECTED assert_include(res[%r<<td[^<>]*>.*em.*</td>>], '<em>em</em>') assert_include(res[%r<<td[^<>]*>.*strong.*</td>>], '<strong>strong</strong>') end + + def assert_escaped(unexpected, code) + result = @to.convert(code) + assert_not_include result, unexpected + assert_include result, CGI.escapeHTML(unexpected) + end end |