From a699c82292b17c8e6a62e1914d5eccc252272793 Mon Sep 17 00:00:00 2001
From: Robin Dupret <robin.dupret@hey.com>
Date: Tue, 15 Dec 2020 20:57:32 +0100
Subject: [PATCH] Fix a security issue using `:quote` with `:escape_html`

Reported by @johan-smits.
---
 CHANGELOG.md          |  7 +++++++
 ext/redcarpet/html.c  |  9 ++++++++-
 lib/redcarpet.rb      |  2 +-
 redcarpet.gemspec     |  4 ++--
 test/markdown_test.rb | 10 ++++++++++
 5 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/ext/redcarpet/html.c b/ext/redcarpet/html.c
index 805ddd8e..785f780f 100644
--- a/ext/redcarpet/html.c
+++ b/ext/redcarpet/html.c
@@ -255,8 +255,15 @@ rndr_quote(struct buf *ob, const struct buf *text, void *opaque)
 	if (!text || !text->size)
 		return 0;
 
+	struct html_renderopt *options = opaque;
+
 	BUFPUTSL(ob, "<q>");
-	bufput(ob, text->data, text->size);
+
+	if (options->flags & HTML_ESCAPE)
+		escape_html(ob, text->data, text->size);
+	else
+		bufput(ob, text->data, text->size);
+
 	BUFPUTSL(ob, "</q>");
 
 	return 1;
diff --git a/test/markdown_test.rb b/test/markdown_test.rb
index 4347be9b..68de1255 100644
--- a/test/markdown_test.rb
+++ b/test/markdown_test.rb
@@ -220,6 +220,16 @@ def test_quote_flag_works
     assert output.include? '<q>quote</q>'
   end
 
+  def test_quote_flag_honors_escape_html
+    text = 'We are not "<svg/onload=pwned>"'
+
+    output_enabled  = render(text, with: [:quote, :escape_html])
+    output_disabled = render(text, with: [:quote])
+
+    assert_equal "<p>We are not <q>&lt;svg/onload=pwned&gt;</q></p>\n", output_enabled
+    assert_equal "<p>We are not <q><svg/onload=pwned></q></p>\n", output_disabled
+  end
+
   def test_that_fenced_flag_works
     text = <<fenced
 This is a simple test