Permalink
Browse files

Sanitize Rdoc output

Signed-off-by: David Radcliffe <radcliffe.david@gmail.com>
  • Loading branch information...
ivantsepp authored and dwradcliffe committed Apr 22, 2016
1 parent 711751e commit 47c715e5b7d96b3c4a6da680bc1403d85e12cde5
Showing with 9 additions and 2 deletions.
  1. +1 −1 app/helpers/rubygems_helper.rb
  2. +8 −1 test/unit/helpers/rubygems_helper_test.rb
@@ -25,7 +25,7 @@ def simple_markup(text)
if text =~ /^==+ [A-Z]/
options = RDoc::Options.new
options.pipe = true
- RDoc::Markup.new.convert(text, RDoc::Markup::ToHtml.new(options)).html_safe
+ sanitize RDoc::Markup.new.convert(text, RDoc::Markup::ToHtml.new(options))
else
content_tag :p, escape_once(sanitize(text.strip)), nil, false
end
@@ -144,7 +144,14 @@ class RubygemsHelperTest < ActionView::TestCase
should 'work on rdoc strings' do
text = '== FOO'
- assert_equal "\n<h2 id=\"label-FOO\">FOO</h2>\n", simple_markup(text)
+ assert_equal "\n<h2>FOO</h2>\n", simple_markup(text)
+ assert simple_markup(text).html_safe?
+ end
+
+ should 'sanitize rdoc strings' do
+ text = "== FOO\nclick[javascript:alert('foo')]"
+ assert_equal "\n<h2>FOO</h2>\n\n<p><a>click</a></p>\n", simple_markup(text)
+
assert simple_markup(text).html_safe?
end
end

0 comments on commit 47c715e

Please sign in to comment.