Skip to content

Commit 1ad2dd3

Browse files
committed
1 parent 369e4fa commit 1ad2dd3

File tree

2 files changed

+29
-2
lines changed

2 files changed

+29
-2
lines changed

lib/rdoc/markup/to_html.rb

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -154,9 +154,13 @@ def handle_regexp_TIDYLINK(target)
154154
text =~ /^\{(.*)\}\[(.*?)\]$/ or text =~ /^(\S+)\[(.*?)\]$/
155155

156156
label = $1
157-
url = $2
157+
url = CGI.escapeHTML($2)
158158

159-
label = handle_RDOCLINK label if /^rdoc-image:/ =~ label
159+
if /^rdoc-image:/ =~ label
160+
label = handle_RDOCLINK(label)
161+
else
162+
label = CGI.escapeHTML(label)
163+
end
160164

161165
gen_url url, label
162166
end

test/rdoc/test_rdoc_markup_to_html.rb

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -704,6 +704,23 @@ def test_convert_TIDYLINK_irc
704704
assert_equal "\n<p><a href=\"irc://irc.freenode.net/#ruby-lang\">ruby-lang</a></p>\n", result
705705
end
706706

707+
def test_convert_TIDYLINK_escape_text
708+
assert_escaped '<script>', '{<script>alert`link text`</script>}[a]'
709+
assert_escaped '<script>', 'x:/<script>alert(1);</script>[[]'
710+
end
711+
712+
def test_convert_TIDYLINK_escape_javascript
713+
assert_not_include '{click}[javascript:alert`javascript_scheme`]', '<a href="javascript:'
714+
end
715+
716+
def test_convert_TIDYLINK_escape_onmouseover
717+
assert_escaped '"/onmouseover="', '{onmouseover}[http://"/onmouseover="alert`on_mouse_link`"]'
718+
end
719+
720+
def test_convert_TIDYLINK_escape_onerror
721+
assert_escaped '"onerror="', '{link_image}[http://"onerror="alert`link_image`".png]'
722+
end
723+
707724
def test_convert_with_exclude_tag
708725
assert_equal "\n<p><code>aaa</code>[:symbol]</p>\n", @to.convert('+aaa+[:symbol]')
709726
assert_equal "\n<p><code>aaa[:symbol]</code></p>\n", @to.convert('+aaa[:symbol]+')
@@ -903,5 +920,11 @@ def test_accept_table
903920
assert_include(res[%r<<td[^<>]*>.*em.*</td>>], '<em>em</em>')
904921
assert_include(res[%r<<td[^<>]*>.*strong.*</td>>], '<strong>strong</strong>')
905922
end
923+
924+
def assert_escaped(unexpected, code)
925+
result = @to.convert(code)
926+
assert_not_include result, unexpected
927+
assert_include result, CGI.escapeHTML(unexpected)
928+
end
906929
end
907930

0 commit comments

Comments
 (0)