ruby-changes:73886
From: Nobuyoshi <ko1@a...>
Date: Fri, 7 Oct 2022 12:09:45 +0900 (JST)
Subject: [ruby-changes:73886] 8d0b2162a0 (master): [ruby/rdoc] Escape main title
https://git.ruby-lang.org/ruby.git/commit/?id=8d0b2162a0 From 8d0b2162a09183eb3d58a5a1d824b4daf16bf3c8 Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada <nobu@r...> Date: Wed, 13 Apr 2022 22:02:21 +0900 Subject: [ruby/rdoc] Escape main title https://hackerone.com/reports/1187156 https://github.com/ruby/rdoc/commit/5dedb5741d --- lib/rdoc/generator/template/darkfish/index.rhtml | 2 +- test/rdoc/test_rdoc_generator_darkfish.rb | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/lib/rdoc/generator/template/darkfish/index.rhtml b/lib/rdoc/generator/template/darkfish/index.rhtml index 13fa3dcc7f..423e225b68 100644 --- a/lib/rdoc/generator/template/darkfish/index.rhtml +++ b/lib/rdoc/generator/template/darkfish/index.rhtml @@ -17,6 +17,6 @@ https://github.com/ruby/ruby/blob/trunk/lib/rdoc/generator/template/darkfish/index.rhtml#L17 main_page = @files.find { |f| f.full_name == @options.main_page } then %> <%= main_page.description %> <%- else -%> -<p>This is the API documentation for <%= @title %>. +<p>This is the API documentation for <%= h @title %>. <%- end -%> </main> diff --git a/test/rdoc/test_rdoc_generator_darkfish.rb b/test/rdoc/test_rdoc_generator_darkfish.rb index ae3a4c5ebf..1cee3e44ab 100644 --- a/test/rdoc/test_rdoc_generator_darkfish.rb +++ b/test/rdoc/test_rdoc_generator_darkfish.rb @@ -248,6 +248,22 @@ class TestRDocGeneratorDarkfish < RDoc::TestCase https://github.com/ruby/ruby/blob/trunk/test/rdoc/test_rdoc_generator_darkfish.rb#L248 assert_include File.read('index.html'), %Q[href="./#{base}"] end + def test_title + title = "RDoc Test".freeze + @options.title = title + @g.generate + + assert_main_title(File.read('index.html'), title) + end + + def test_title_escape + title = %[<script>alert("RDoc")</script>].freeze + @options.title = title + @g.generate + + assert_main_title(File.read('index.html'), title) + end + ## # Asserts that +filename+ has a link count greater than 1 if hard links to # @tmpdir are supported. @@ -271,4 +287,9 @@ class TestRDocGeneratorDarkfish < RDoc::TestCase https://github.com/ruby/ruby/blob/trunk/test/rdoc/test_rdoc_generator_darkfish.rb#L287 "#{filename} is not hard-linked" end + def assert_main_title(content, title) + title = CGI.escapeHTML(title) + assert_equal(title, content[%r[<title>(.*?)<\/title>]im, 1]) + assert_include(content[%r[<main\s[^<>]*+>\s*(.*?)</main>]im, 1], title) + end end -- cgit v1.2.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/