69 lines
3.6 KiB
Diff
69 lines
3.6 KiB
Diff
From 725d6f699f589d9b5454e189d33292027532984d Mon Sep 17 00:00:00 2001
|
|
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
|
|
Date: Fri, 21 Feb 2025 15:53:31 +0900
|
|
Subject: [PATCH] Escape/unescape unclosed tags as well
|
|
|
|
Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
|
|
---
|
|
lib/cgi/util.rb | 4 ++--
|
|
test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++
|
|
2 files changed, 20 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb
|
|
index aab8b000cb..5ff8ba58eb 100644
|
|
--- a/lib/cgi/util.rb
|
|
+++ b/lib/cgi/util.rb
|
|
@@ -140,7 +140,7 @@ def unescapeHTML(string)
|
|
def escapeElement(string, *elements)
|
|
elements = elements[0] if elements[0].kind_of?(Array)
|
|
unless elements.empty?
|
|
- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do
|
|
+ string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do
|
|
CGI.escapeHTML($&)
|
|
end
|
|
else
|
|
@@ -160,7 +160,7 @@ def escapeElement(string, *elements)
|
|
def unescapeElement(string, *elements)
|
|
elements = elements[0] if elements[0].kind_of?(Array)
|
|
unless elements.empty?
|
|
- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do
|
|
+ string.gsub(/<\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:>)?/im) do
|
|
unescapeHTML($&)
|
|
end
|
|
else
|
|
diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb
|
|
index b7bb7b8eae..e93be474b3 100644
|
|
--- a/test/cgi/test_cgi_util.rb
|
|
+++ b/test/cgi/test_cgi_util.rb
|
|
@@ -181,6 +181,14 @@ def test_cgi_escapeElement
|
|
assert_equal("<BR><A HREF="url"></A>", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"]))
|
|
assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', "A", "IMG"))
|
|
assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"]))
|
|
+
|
|
+ assert_equal("<A <A HREF="url"></A>", escapeElement('<A <A HREF="url"></A>', "A", "IMG"))
|
|
+ assert_equal("<A <A HREF="url"></A>", escapeElement('<A <A HREF="url"></A>', ["A", "IMG"]))
|
|
+ assert_equal("<A <A HREF="url"></A>", escape_element('<A <A HREF="url"></A>', "A", "IMG"))
|
|
+ assert_equal("<A <A HREF="url"></A>", escape_element('<A <A HREF="url"></A>', ["A", "IMG"]))
|
|
+
|
|
+ assert_equal("<A <A ", escapeElement('<A <A ', "A", "IMG"))
|
|
+ assert_equal("<A <A ", escapeElement('<A <A ', ["A", "IMG"]))
|
|
end
|
|
|
|
|
|
@@ -189,5 +197,15 @@ def test_cgi_unescapeElement
|
|
assert_equal('<BR><A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
|
|
assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))
|
|
assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
|
|
+
|
|
+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
|
|
+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
|
|
+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
|
|
+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
|
|
+
|
|
+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), "A", "IMG"))
|
|
+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), ["A", "IMG"]))
|
|
+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), "A", "IMG"))
|
|
+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), ["A", "IMG"]))
|
|
end
|
|
end
|