ruby-changes:73889
From: Nobuyoshi <ko1@a...>
Date: Fri, 7 Oct 2022 12:12:23 +0900 (JST)
Subject: [ruby-changes:73889] a3cb09c7d1 (master): [ruby/rdoc] Escape file names
https://git.ruby-lang.org/ruby.git/commit/?id=a3cb09c7d1 From a3cb09c7d17f2626ebd6eae774f0425d602ed95b Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada <nobu@r...> Date: Sat, 28 Aug 2021 17:41:47 +0900 Subject: [ruby/rdoc] Escape file names https://hackerone.com/reports/1321358 https://github.com/ruby/rdoc/commit/8c07cc4657 --- lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml | 6 +++--- .../generator/template/darkfish/table_of_contents.rhtml | 4 ++-- test/rdoc/test_rdoc_generator_darkfish.rb | 14 ++++++++++++++ 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml b/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml index 0ed683ca14..3f68f0c0dc 100644 --- a/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml +++ b/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml @@ -12,18 +12,18 @@ https://github.com/ruby/ruby/blob/trunk/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml#L12 <%- end.each do |n, files| -%> <%- f = files.shift -%> <%- if files.empty? -%> - <li><a href="<%= rel_prefix %>/<%= f.path %>"><%= h f.page_name %></a> + <li><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h f.page_name %></a> <%- next -%> <%- end -%> <li><details<% if dir == n %> open<% end %>><summary><% if n == f.page_name - %><a href="<%= rel_prefix %>/<%= f.path %>"><%= h n %></a><% + %><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h n %></a><% else %><%= h n %><% files.unshift(f) end %></summary> <ul class="link-list"> <%- files.each do |f| -%> - <li><a href="<%= rel_prefix %>/<%= f.path %>"><%= h f.page_name %></a> + <li><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h f.page_name %></a> <%- end -%> </ul></details> <%- end -%> diff --git a/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml b/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml index 303d7016cc..941ff9d630 100644 --- a/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml +++ b/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml @@ -8,14 +8,14 @@ https://github.com/ruby/ruby/blob/trunk/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml#L8 <ul> <%- simple_files.sort.each do |file| -%> <li class="file"> - <a href="<%= file.path %>"><%= h file.page_name %></a> + <a href="<%= h file.path %>"><%= h file.page_name %></a> <% # HACK table_of_contents should not exist on Document table = file.parse(file.comment).table_of_contents unless table.empty? then %> <ul> <%- table.each do |heading| -%> - <li><a href="<%= file.path %>#<%= heading.aref %>"><%= heading.plain_html %></a> + <li><a href="<%= h file.path %>#<%= heading.aref %>"><%= heading.plain_html %></a> <%- end -%> </ul> <%- end -%> diff --git a/test/rdoc/test_rdoc_generator_darkfish.rb b/test/rdoc/test_rdoc_generator_darkfish.rb index 1cee3e44ab..140cf0916b 100644 --- a/test/rdoc/test_rdoc_generator_darkfish.rb +++ b/test/rdoc/test_rdoc_generator_darkfish.rb @@ -233,6 +233,20 @@ class TestRDocGeneratorDarkfish < RDoc::TestCase https://github.com/ruby/ruby/blob/trunk/test/rdoc/test_rdoc_generator_darkfish.rb#L233 assert_includes method_name, '{ |%<<script>alert("atui")</script>>, yield_arg| ... }' end + def test_generated_filename_with_html_tag + @store.add_file '"><em>should be escaped' + doc = @store.all_files.last + doc.parser = RDoc::Parser::Simple + + @g.generate + + Dir.glob("*.html", base: @tmpdir) do |html| + File.read(File.join(@tmpdir, html)).scan(/.*should be escaped.*/) do |line| + assert_not_include line, "<em>", html + end + end + end + def test_template_stylesheets css = Tempfile.create(%W'hoge .css', Dir.mktmpdir('tmp', '.')) File.write(css, '') -- cgit v1.2.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/