@@ -704,6 +704,23 @@ def test_convert_TIDYLINK_irc
704
704
assert_equal "\n <p><a href=\" irc://irc.freenode.net/#ruby-lang\" >ruby-lang</a></p>\n " , result
705
705
end
706
706
707
+ def test_convert_TIDYLINK_escape_text
708
+ assert_escaped '<script>' , '{<script>alert`link text`</script>}[a]'
709
+ assert_escaped '<script>' , 'x:/<script>alert(1);</script>[[]'
710
+ end
711
+
712
+ def test_convert_TIDYLINK_escape_javascript
713
+ assert_not_include '{click}[javascript:alert`javascript_scheme`]' , '<a href="javascript:'
714
+ end
715
+
716
+ def test_convert_TIDYLINK_escape_onmouseover
717
+ assert_escaped '"/onmouseover="' , '{onmouseover}[http://"/onmouseover="alert`on_mouse_link`"]'
718
+ end
719
+
720
+ def test_convert_TIDYLINK_escape_onerror
721
+ assert_escaped '"onerror="' , '{link_image}[http://"onerror="alert`link_image`".png]'
722
+ end
723
+
707
724
def test_convert_with_exclude_tag
708
725
assert_equal "\n <p><code>aaa</code>[:symbol]</p>\n " , @to . convert ( '+aaa+[:symbol]' )
709
726
assert_equal "\n <p><code>aaa[:symbol]</code></p>\n " , @to . convert ( '+aaa[:symbol]+' )
@@ -903,5 +920,11 @@ def test_accept_table
903
920
assert_include ( res [ %r<<td[^<>]*>.*em.*</td>> ] , '<em>em</em>' )
904
921
assert_include ( res [ %r<<td[^<>]*>.*strong.*</td>> ] , '<strong>strong</strong>' )
905
922
end
923
+
924
+ def assert_escaped ( unexpected , code )
925
+ result = @to . convert ( code )
926
+ assert_not_include result , unexpected
927
+ assert_include result , CGI . escapeHTML ( unexpected )
928
+ end
906
929
end
907
930
0 commit comments