[前][次][番号順一覧][スレッド一覧]

ruby-changes:41680

From: nobu <ko1@a...>
Date: Sat, 6 Feb 2016 22:31:04 +0900 (JST)
Subject: [ruby-changes:41680] nobu:r53754 (trunk): ASCII-incompatible escape

nobu	2016-02-06 22:31:07 +0900 (Sat, 06 Feb 2016)

  New Revision: 53754

  https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=53754

  Log:
    ASCII-incompatible escape
    
    * lib/cgi/util.rb (escapeHTML, unescapeHTML): consider
      ASCII-incompatible encodings.  [Fix GH-1239]

  Modified files:
    trunk/ChangeLog
    trunk/lib/cgi/util.rb
    trunk/test/cgi/test_cgi_util.rb
Index: lib/cgi/util.rb
===================================================================
--- lib/cgi/util.rb	(revision 53753)
+++ lib/cgi/util.rb	(revision 53754)
@@ -35,6 +35,18 @@ module CGI::Util https://github.com/ruby/ruby/blob/trunk/lib/cgi/util.rb#L35
   #   CGI::escapeHTML('Usage: foo "bar" <baz>')
   #      # => "Usage: foo &quot;bar&quot; &lt;baz&gt;"
   def escapeHTML(string)
+    enc = string.encoding
+    unless enc.ascii_compatible?
+      if enc.dummy?
+        origenc = enc
+        enc = Encoding::Converter.asciicompat_encoding(enc)
+        string = enc ? string.encode(enc) : string.b
+      end
+      table = Hash[TABLE_FOR_ESCAPE_HTML__.map {|pair|pair.map {|s|s.encode(enc)}}]
+      string = string.gsub(/#{"['&\"<>]".encode(enc)}/, table)
+      string.encode!(origenc) if origenc
+      return string
+    end
     string.gsub(/['&\"<>]/, TABLE_FOR_ESCAPE_HTML__)
   end
 
@@ -47,10 +59,14 @@ module CGI::Util https://github.com/ruby/ruby/blob/trunk/lib/cgi/util.rb#L59
   #   CGI::unescapeHTML("Usage: foo &quot;bar&quot; &lt;baz&gt;")
   #      # => "Usage: foo \"bar\" <baz>"
   def unescapeHTML(string)
-    return string unless string.include? '&'
     enc = string.encoding
-    if enc != Encoding::UTF_8 && [Encoding::UTF_16BE, Encoding::UTF_16LE, Encoding::UTF_32BE, Encoding::UTF_32LE].include?(enc)
-      return string.gsub(Regexp.new('&(apos|amp|quot|gt|lt|#[0-9]+|#x[0-9A-Fa-f]+);'.encode(enc))) do
+    unless enc.ascii_compatible?
+      if enc.dummy?
+        origenc = enc
+        enc = Encoding::Converter.asciicompat_encoding(enc)
+        string = enc ? string.encode(enc) : string.b
+      end
+      string = string.gsub(Regexp.new('&(apos|amp|quot|gt|lt|#[0-9]+|#x[0-9A-Fa-f]+);'.encode(enc))) do
         case $1.encode(Encoding::US_ASCII)
         when 'apos'                then "'".encode(enc)
         when 'amp'                 then '&'.encode(enc)
@@ -61,8 +77,15 @@ module CGI::Util https://github.com/ruby/ruby/blob/trunk/lib/cgi/util.rb#L77
         when /\A#x([0-9a-f]+)\z/i  then $1.hex.chr(enc)
         end
       end
+      string.encode!(origenc) if origenc
+      return string
     end
-    asciicompat = Encoding.compatible?(string, "a")
+    return string unless string.include? '&'
+    charlimit = case enc
+                when Encoding::UTF_8; 0x10ffff
+                when Encoding::ISO_8859_1; 256
+                else 128
+                end
     string.gsub(/&(apos|amp|quot|gt|lt|\#[0-9]+|\#[xX][0-9A-Fa-f]+);/) do
       match = $1.dup
       case match
@@ -73,18 +96,14 @@ module CGI::Util https://github.com/ruby/ruby/blob/trunk/lib/cgi/util.rb#L96
       when 'lt'                  then '<'
       when /\A#0*(\d+)\z/
         n = $1.to_i
-        if enc == Encoding::UTF_8 or
-          enc == Encoding::ISO_8859_1 && n < 256 or
-          asciicompat && n < 128
+        if n < charlimit
           n.chr(enc)
         else
           "&##{$1};"
         end
       when /\A#x([0-9a-f]+)\z/i
         n = $1.hex
-        if enc == Encoding::UTF_8 or
-          enc == Encoding::ISO_8859_1 && n < 256 or
-          asciicompat && n < 128
+        if n < charlimit
           n.chr(enc)
         else
           "&#x#{$1};"
Index: ChangeLog
===================================================================
--- ChangeLog	(revision 53753)
+++ ChangeLog	(revision 53754)
@@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1
+Sat Feb  6 22:30:57 2016  Nobuyoshi Nakada  <nobu@r...>
+
+	* lib/cgi/util.rb (escapeHTML, unescapeHTML): consider
+	  ASCII-incompatible encodings.  [Fix GH-1239]
+
 Sat Feb  6 20:44:24 2016  Nobuyoshi Nakada  <nobu@r...>
 
 	* configure.in: check __int64_t and __int128_t for RUBY_DEFINT on
Index: test/cgi/test_cgi_util.rb
===================================================================
--- test/cgi/test_cgi_util.rb	(revision 53753)
+++ test/cgi/test_cgi_util.rb	(revision 53754)
@@ -98,6 +98,22 @@ class CGIUtilTest < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/cgi/test_cgi_util.rb#L98
     assert_equal("'&\"><", CGI::unescapeHTML("&#39;&amp;&quot;&gt;&lt;"))
   end
 
+  Encoding.list.each do |enc|
+    begin
+      escaped = "&#39;&amp;&quot;&gt;&lt;".encode(enc)
+      unescaped = "'&\"><".encode(enc)
+    rescue Encoding::ConverterNotFoundError
+      next
+    else
+      define_method("test_cgi_escapeHTML:#{enc.name}") do
+        assert_equal(escaped, CGI::escapeHTML(unescaped))
+      end
+      define_method("test_cgi_unescapeHTML:#{enc.name}") do
+        assert_equal(unescaped, CGI::unescapeHTML(escaped))
+      end
+    end
+  end
+
   def test_cgi_unescapeHTML_uppercasecharacter
     assert_equal("\xE3\x81\x82\xE3\x81\x84\xE3\x81\x86", CGI::unescapeHTML("&#x3042;&#x3044;&#X3046;"))
   end

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]