ruby-changes:73885
From: Nobuyoshi <ko1@a...>
Date: Fri, 7 Oct 2022 12:09:45 +0900 (JST)
Subject: [ruby-changes:73885] 586e18b946 (master): [ruby/rdoc] Escape HYPERLINKs
https://git.ruby-lang.org/ruby.git/commit/?id=586e18b946 From 586e18b94645b2d3181720d311fcd72b4bb2ca88 Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada <nobu@r...> Date: Wed, 13 Apr 2022 16:14:28 +0900 Subject: [ruby/rdoc] Escape HYPERLINKs https://github.com/ruby/rdoc/commit/ac35485be6 --- lib/rdoc/markup/to_html.rb | 2 +- test/rdoc/test_rdoc_markup_to_html.rb | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/rdoc/markup/to_html.rb b/lib/rdoc/markup/to_html.rb index ccafdb61ba..bf323074de 100644 --- a/lib/rdoc/markup/to_html.rb +++ b/lib/rdoc/markup/to_html.rb @@ -123,7 +123,7 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter https://github.com/ruby/ruby/blob/trunk/lib/rdoc/markup/to_html.rb#L123 # Reference to a local file relative to the output directory. def handle_regexp_HYPERLINK(target) - url = target.text + url = CGI.escapeHTML(target.text) gen_url url, url end diff --git a/test/rdoc/test_rdoc_markup_to_html.rb b/test/rdoc/test_rdoc_markup_to_html.rb index 3e4a8e8915..d11c2a4ed7 100644 --- a/test/rdoc/test_rdoc_markup_to_html.rb +++ b/test/rdoc/test_rdoc_markup_to_html.rb @@ -836,6 +836,11 @@ EXPECTED https://github.com/ruby/ruby/blob/trunk/test/rdoc/test_rdoc_markup_to_html.rb#L836 assert_equal '<a href="irc://irc.freenode.net/#ruby-lang">irc.freenode.net/#ruby-lang</a>', link end + def test_handle_regexp_HYPERLINK_escape + code = 'irc://irc.freenode.net/"><script>alert(`irc`)</script><a"' + assert_escaped '<script>', code + end + def test_list_verbatim_2 str = "* one\n verb1\n verb2\n* two\n" -- cgit v1.2.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/