Skip to content

Commit

Permalink
Sanitize Rdoc output
Browse files Browse the repository at this point in the history
Signed-off-by: David Radcliffe <radcliffe.david@gmail.com>
  • Loading branch information
ivantsepp authored and dwradcliffe committed Apr 26, 2016
1 parent 711751e commit 47c715e
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 2 deletions.
2 changes: 1 addition & 1 deletion app/helpers/rubygems_helper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ def simple_markup(text)
if text =~ /^==+ [A-Z]/
options = RDoc::Options.new
options.pipe = true
RDoc::Markup.new.convert(text, RDoc::Markup::ToHtml.new(options)).html_safe
sanitize RDoc::Markup.new.convert(text, RDoc::Markup::ToHtml.new(options))
else
content_tag :p, escape_once(sanitize(text.strip)), nil, false
end
Expand Down
9 changes: 8 additions & 1 deletion test/unit/helpers/rubygems_helper_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,14 @@ class RubygemsHelperTest < ActionView::TestCase

should 'work on rdoc strings' do
text = '== FOO'
assert_equal "\n<h2 id=\"label-FOO\">FOO</h2>\n", simple_markup(text)
assert_equal "\n<h2>FOO</h2>\n", simple_markup(text)
assert simple_markup(text).html_safe?
end

should 'sanitize rdoc strings' do
text = "== FOO\nclick[javascript:alert('foo')]"
assert_equal "\n<h2>FOO</h2>\n\n<p><a>click</a></p>\n", simple_markup(text)

assert simple_markup(text).html_safe?
end
end
Expand Down

0 comments on commit 47c715e

Please sign in to comment.