Sanitize HTML attributes that come from extended attributes. Fixes #114.

bhollis · Dec 16, 2013 · 7363179 · 7363179 · distler · Dec 16, 2013
1 parent c35f215
commit 7363179
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/lib/maruku/output/to_html.rb b/lib/maruku/output/to_html.rb
@@ -392,7 +392,7 @@ def html_element(name, content="", attributes={})
 
     Array(HTML4Attributes[name]).each do |att|
       if v = @attributes[att]
-        attributes[att.to_s] = v.to_s
+        attributes[CGI.escapeHTML(att.to_s)] = CGI.escapeHTML(v.to_s)
       end
     end
     content = yield if block_given?

diff --git a/spec/block_docs/attribute_sanitize.md b/spec/block_docs/attribute_sanitize.md
@@ -0,0 +1,22 @@
+Make sure extended attributes get escaped when generating HTML: https://github.com/bhollis/maruku/issues/114
+*** Parameters: ***
+{} # params
+*** Markdown input: ***
+*foo*{: style='ball & chain'}
+
+*foo*{: style='ball\008 chain'}
+
+*foo*{: style='ball\" badAttribute=\"chain'}
+*** Output of inspect ***
+md_el(:document, [
+  md_par(md_em("foo", [["style", "ball & chain"]])),
+  md_par(md_em("foo", [["style", "ball\\008 chain"]])),
+  md_par(md_em("foo", [["style", "ball\" badAttribute=\"chain"]]))
+])
+*** Output of to_html ***
+<p><em style="ball &amp; chain">foo</em>
+</p>
+<p><em style="ball\008 chain">foo</em>
+</p>
+<p><em style="ball&quot; badAttribute=&quot;chain">foo</em>
+</p>