ruby-changes:73887

https://git.ruby-lang.org/ruby.git/commit/?id=9e3ab9da7f

From 9e3ab9da7fe6d4910a48d808e582e825d7b7467d Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@r...>
Date: Wed, 13 Apr 2022 16:14:07 +0900
Subject: [ruby/rdoc] Escape RDOCLINKs

https://hackerone.com/reports/1187156

https://github.com/ruby/rdoc/commit/7cecf1efae
---
 lib/rdoc/markup/to_html.rb            | 12 +++++-------
 test/rdoc/test_rdoc_markup_to_html.rb | 25 +++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/lib/rdoc/markup/to_html.rb b/lib/rdoc/markup/to_html.rb
index 3c4f82f748..ccafdb61ba 100644
--- a/lib/rdoc/markup/to_html.rb
+++ b/lib/rdoc/markup/to_html.rb
@@ -84,7 +84,7 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter https://github.com/ruby/ruby/blob/trunk/lib/rdoc/markup/to_html.rb#L84
   def handle_RDOCLINK url # :nodoc:
     case url
     when /^rdoc-ref:/
-      $'
+      CGI.escapeHTML($')
     when /^rdoc-label:/
       text = $'
 
@@ -95,13 +95,11 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter https://github.com/ruby/ruby/blob/trunk/lib/rdoc/markup/to_html.rb#L95
              else                    text
              end
 
-      gen_url url, text
+      gen_url CGI.escapeHTML(url), CGI.escapeHTML(text)
     when /^rdoc-image:/
-      "<img src=\"#{$'}\">"
-    else
-      url =~ /\Ardoc-[a-z]+:/
-
-      $'
+      %[<img src=\"#{CGI.escapeHTML($')}\">]
+    when /\Ardoc-[a-z]+:/
+      CGI.escapeHTML($')
     end
   end
 
diff --git a/test/rdoc/test_rdoc_markup_to_html.rb b/test/rdoc/test_rdoc_markup_to_html.rb
index 8a38694c45..3e4a8e8915 100644
--- a/test/rdoc/test_rdoc_markup_to_html.rb
+++ b/test/rdoc/test_rdoc_markup_to_html.rb
@@ -665,6 +665,26 @@ EXPECTED https://github.com/ruby/ruby/blob/trunk/test/rdoc/test_rdoc_markup_to_html.rb#L665
     assert_equal "\n<p>C</p>\n", result
   end
 
+  def test_convert_RDOCLINK_escape_image
+    assert_escaped '<script>', 'rdoc-image:"><script>alert(`rdoc-image`)</script>"'
+  end
+
+  def test_convert_RDOCLINK_escape_label_id
+    assert_escaped '<script>', 'rdoc-label::path::"><script>alert(`rdoc-label_id`)</script>"'
+  end
+
+  def test_convert_RDOCLINK_escape_label_path
+    assert_escaped '<script>', 'rdoc-label::"><script>alert(`rdoc-label_path`)</script>"'
+  end
+
+  def test_convert_RDOCLINK_escape_ref
+    assert_escaped '<script>', 'rdoc-ref:"><script>alert(`rdoc-ref`)</script>"'
+  end
+
+  def test_convert_RDOCLINK_escape_xxx
+    assert_escaped '<script>', 'rdoc-xxx:"><script>alert(`rdoc-xxx`)</script>"'
+  end
+
   def test_convert_TIDYLINK_footnote
     result = @to.convert 'text{*1}[rdoc-label:foottext-1:footmark-1]'
 
@@ -690,6 +710,11 @@ EXPECTED https://github.com/ruby/ruby/blob/trunk/test/rdoc/test_rdoc_markup_to_html.rb#L710
       "\n<p><a href=\"http://example.com\"><img src=\"path/to/image.jpg\"></a></p>\n"
 
     assert_equal expected, result
+
+    result =
+      @to.convert '{rdoc-image:<script>alert`link text`</script>}[http://example.com]'
+
+    assert_not_include result, "<script>"
   end
 
   def test_convert_TIDYLINK_rdoc_label
-- 
cgit v1.2.1


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/