diff options
| author | Nobuyoshi Nakada <nobu@ruby-lang.org> | 2021-08-28 17:41:47 +0900 |
|---|---|---|
| committer | git <svn-admin@ruby-lang.org> | 2022-10-07 12:12:08 +0900 |
| commit | a3cb09c7d17f2626ebd6eae774f0425d602ed95b (patch) | |
| tree | adecae701b63e13bf852bd0aead3a832df8ef35a | |
| parent | 8d0b2162a09183eb3d58a5a1d824b4daf16bf3c8 (diff) | |
| download | ruby-a3cb09c7d17f2626ebd6eae774f0425d602ed95b.tar.gz | |
[ruby/rdoc] Escape file names
https://hackerone.com/reports/1321358
https://github.com/ruby/rdoc/commit/8c07cc4657
| -rw-r--r-- | lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml | 6 | ||||
| -rw-r--r-- | lib/rdoc/generator/template/darkfish/table_of_contents.rhtml | 4 | ||||
| -rw-r--r-- | test/rdoc/test_rdoc_generator_darkfish.rb | 14 |
3 files changed, 19 insertions, 5 deletions
diff --git a/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml b/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml index 0ed683ca14..3f68f0c0dc 100644 --- a/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml +++ b/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml @@ -12,18 +12,18 @@ <%- end.each do |n, files| -%> <%- f = files.shift -%> <%- if files.empty? -%> - <li><a href="<%= rel_prefix %>/<%= f.path %>"><%= h f.page_name %></a> + <li><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h f.page_name %></a> <%- next -%> <%- end -%> <li><details<% if dir == n %> open<% end %>><summary><% if n == f.page_name - %><a href="<%= rel_prefix %>/<%= f.path %>"><%= h n %></a><% + %><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h n %></a><% else %><%= h n %><% files.unshift(f) end %></summary> <ul class="link-list"> <%- files.each do |f| -%> - <li><a href="<%= rel_prefix %>/<%= f.path %>"><%= h f.page_name %></a> + <li><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h f.page_name %></a> <%- end -%> </ul></details> <%- end -%> diff --git a/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml b/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml index 303d7016cc..941ff9d630 100644 --- a/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml +++ b/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml @@ -8,14 +8,14 @@ <ul> <%- simple_files.sort.each do |file| -%> <li class="file"> - <a href="<%= file.path %>"><%= h file.page_name %></a> + <a href="<%= h file.path %>"><%= h file.page_name %></a> <% # HACK table_of_contents should not exist on Document table = file.parse(file.comment).table_of_contents unless table.empty? then %> <ul> <%- table.each do |heading| -%> - <li><a href="<%= file.path %>#<%= heading.aref %>"><%= heading.plain_html %></a> + <li><a href="<%= h file.path %>#<%= heading.aref %>"><%= heading.plain_html %></a> <%- end -%> </ul> <%- end -%> diff --git a/test/rdoc/test_rdoc_generator_darkfish.rb b/test/rdoc/test_rdoc_generator_darkfish.rb index 1cee3e44ab..140cf0916b 100644 --- a/test/rdoc/test_rdoc_generator_darkfish.rb +++ b/test/rdoc/test_rdoc_generator_darkfish.rb @@ -233,6 +233,20 @@ class TestRDocGeneratorDarkfish < RDoc::TestCase assert_includes method_name, '{ |%<<script>alert("atui")</script>>, yield_arg| ... }' end + def test_generated_filename_with_html_tag + @store.add_file '"><em>should be escaped' + doc = @store.all_files.last + doc.parser = RDoc::Parser::Simple + + @g.generate + + Dir.glob("*.html", base: @tmpdir) do |html| + File.read(File.join(@tmpdir, html)).scan(/.*should be escaped.*/) do |line| + assert_not_include line, "<em>", html + end + end + end + def test_template_stylesheets css = Tempfile.create(%W'hoge .css', Dir.mktmpdir('tmp', '.')) File.write(css, '') |