You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
57 lines
1.7 KiB
57 lines
1.7 KiB
From a699c82292b17c8e6a62e1914d5eccc252272793 Mon Sep 17 00:00:00 2001
|
|
From: Robin Dupret <robin.dupret@hey.com>
|
|
Date: Tue, 15 Dec 2020 20:57:32 +0100
|
|
Subject: [PATCH] Fix a security issue using `:quote` with `:escape_html`
|
|
|
|
Reported by @johan-smits.
|
|
---
|
|
CHANGELOG.md | 7 +++++++
|
|
ext/redcarpet/html.c | 9 ++++++++-
|
|
lib/redcarpet.rb | 2 +-
|
|
redcarpet.gemspec | 4 ++--
|
|
test/markdown_test.rb | 10 ++++++++++
|
|
5 files changed, 28 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/ext/redcarpet/html.c b/ext/redcarpet/html.c
|
|
index 805ddd8e..785f780f 100644
|
|
--- a/ext/redcarpet/html.c
|
|
+++ b/ext/redcarpet/html.c
|
|
@@ -255,8 +255,15 @@ rndr_quote(struct buf *ob, const struct buf *text, void *opaque)
|
|
if (!text || !text->size)
|
|
return 0;
|
|
|
|
+ struct html_renderopt *options = opaque;
|
|
+
|
|
BUFPUTSL(ob, "<q>");
|
|
- bufput(ob, text->data, text->size);
|
|
+
|
|
+ if (options->flags & HTML_ESCAPE)
|
|
+ escape_html(ob, text->data, text->size);
|
|
+ else
|
|
+ bufput(ob, text->data, text->size);
|
|
+
|
|
BUFPUTSL(ob, "</q>");
|
|
|
|
return 1;
|
|
diff --git a/test/markdown_test.rb b/test/markdown_test.rb
|
|
index 4347be9b..68de1255 100644
|
|
--- a/test/markdown_test.rb
|
|
+++ b/test/markdown_test.rb
|
|
@@ -220,6 +220,16 @@ def test_quote_flag_works
|
|
assert output.include? '<q>quote</q>'
|
|
end
|
|
|
|
+ def test_quote_flag_honors_escape_html
|
|
+ text = 'We are not "<svg/onload=pwned>"'
|
|
+
|
|
+ output_enabled = render(text, with: [:quote, :escape_html])
|
|
+ output_disabled = render(text, with: [:quote])
|
|
+
|
|
+ assert_equal "<p>We are not <q><svg/onload=pwned></q></p>\n", output_enabled
|
|
+ assert_equal "<p>We are not <q><svg/onload=pwned></q></p>\n", output_disabled
|
|
+ end
|
|
+
|
|
def test_that_fenced_flag_works
|
|
text = <<fenced
|
|
This is a simple test
|