[ruby/rdoc] Escape file names

https://hackerone.com/reports/1321358 https://github.com/ruby/rdoc/commit/8c07cc4657
author: Nobuyoshi Nakada <nobu@ruby-lang.org> 2021-08-28 17:41:47 +0900
committer: git <svn-admin@ruby-lang.org> 2022-10-07 12:12:08 +0900
commit: a3cb09c7d17f2626ebd6eae774f0425d602ed95b (patch)
tree: adecae701b63e13bf852bd0aead3a832df8ef35a /test/rdoc
parent: 8d0b2162a09183eb3d58a5a1d824b4daf16bf3c8 (diff)
download: ruby-a3cb09c7d17f2626ebd6eae774f0425d602ed95b.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/test/rdoc/test_rdoc_generator_darkfish.rb b/test/rdoc/test_rdoc_generator_darkfish.rb
index 1cee3e44ab..140cf0916b 100644
--- a/test/rdoc/test_rdoc_generator_darkfish.rb
+++ b/test/rdoc/test_rdoc_generator_darkfish.rb
@@ -233,6 +233,20 @@ class TestRDocGeneratorDarkfish < RDoc::TestCase
     assert_includes method_name, '{ |%&lt;&lt;script&gt;alert(&quot;atui&quot;)&lt;/script&gt;&gt;, yield_arg| ... }'
   end
 
+  def test_generated_filename_with_html_tag
+    @store.add_file '"><em>should be escaped'
+    doc = @store.all_files.last
+    doc.parser = RDoc::Parser::Simple
+
+    @g.generate
+
+    Dir.glob("*.html", base: @tmpdir) do |html|
+      File.read(File.join(@tmpdir, html)).scan(/.*should be escaped.*/) do |line|
+        assert_not_include line, "<em>", html
+      end
+    end
+  end
+
   def test_template_stylesheets
     css = Tempfile.create(%W'hoge .css', Dir.mktmpdir('tmp', '.'))
     File.write(css, '')
author	Nobuyoshi Nakada <nobu@ruby-lang.org>	2021-08-28 17:41:47 +0900
committer	git <svn-admin@ruby-lang.org>	2022-10-07 12:12:08 +0900
commit	a3cb09c7d17f2626ebd6eae774f0425d602ed95b (patch)
tree	adecae701b63e13bf852bd0aead3a832df8ef35a /test/rdoc
parent	8d0b2162a09183eb3d58a5a1d824b4daf16bf3c8 (diff)
download	ruby-a3cb09c7d17f2626ebd6eae774f0425d602ed95b.tar.gz