Stricter escaping of strings, bump version to 0.5.3

pdfkit · Feb 21, 2013 · ce37ffc · ce37ffc
1 parent d7690c4
commit ce37ffc
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 4 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    pdfkit (0.5.2)
+    pdfkit (0.5.3)
 
 GEM
   remote: http://rubygems.org/

diff --git a/lib/pdfkit/pdfkit.rb b/lib/pdfkit/pdfkit.rb
@@ -1,3 +1,5 @@
+require 'shellwords'
+
 class PDFKit
 
   class NoExecutableError < StandardError
@@ -42,7 +44,7 @@ def command(path = nil)
 
     args << (path || '-') # Write to file or stdout
 
-    args.map {|arg| %Q{"#{arg.gsub('"', '\"')}"}}
+    args.map {|arg| %Q{"#{arg.shellescape}"}}
   end
 
   def executable

diff --git a/lib/pdfkit/version.rb b/lib/pdfkit/version.rb
@@ -1,3 +1,3 @@
 class PDFKit
-  VERSION = "0.5.2"
+  VERSION = "0.5.3"
 end
diff --git a/spec/pdfkit_spec.rb b/spec/pdfkit_spec.rb
@@ -67,7 +67,12 @@
 
     it "should encapsulate string arguments in quotes" do
       pdfkit = PDFKit.new('html', :header_center => "foo [page]")
-      pdfkit.command[pdfkit.command.index('"--header-center"') + 1].should == '"foo [page]"'
+      pdfkit.command[pdfkit.command.index('"--header-center"') + 1].should == '"foo\ \[page\]"'
+    end
+
+    it "should sanitize string arguments" do
+      pdfkit = PDFKit.new('html', :header_center => "$(ls)")
+      pdfkit.command[pdfkit.command.index('"--header-center"') + 1].should == '"\$\(ls\)"'
     end
 
     it "read the source from stdin if it is html" do