From 5e46225b42d643af138cefd461d854a87e5bdc5a Mon Sep 17 00:00:00 2001 From: Takashi Kokubun Date: Mon, 21 Dec 2015 23:35:40 +0900 Subject: [PATCH] Preserve original state for tainted and frozen --- ext/cgi/escape/escape.c | 16 +++++++++++++++- test/cgi/test_cgi_util.rb | 10 ++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/ext/cgi/escape/escape.c b/ext/cgi/escape/escape.c index 6fec95a..b75eb6e 100644 --- a/ext/cgi/escape/escape.c +++ b/ext/cgi/escape/escape.c @@ -25,6 +25,20 @@ html_escaped_cat(VALUE str, char c) } } +static void +preserve_original_state(VALUE orig, VALUE dest) +{ + rb_enc_associate(dest, rb_enc_get(orig)); + + if (rb_obj_frozen_p(orig)) { + rb_str_freeze(dest); + } + + if (OBJ_TAINTED(orig)) { + rb_obj_taint(dest); + } +} + static VALUE optimized_escape_html(VALUE str) { @@ -57,7 +71,7 @@ optimized_escape_html(VALUE str) if (modified) { rb_str_cat(dest, cstr + beg, len - beg); - rb_enc_associate(dest, rb_enc_get(str)); + preserve_original_state(str, dest); return dest; } else { diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb index d30c9bd..08c2ed2 100644 --- a/test/cgi/test_cgi_util.rb +++ b/test/cgi/test_cgi_util.rb @@ -68,6 +68,16 @@ def test_cgi_escape_html_preserve_encoding assert_equal(Encoding::UTF_8, CGI::escapeHTML("'&\"><".force_encoding("UTF-8")).encoding) end + def test_cgi_escape_html_preserve_tainted + assert_equal(false, CGI::escapeHTML("'&\"><").tainted?) + assert_equal(true, CGI::escapeHTML("'&\"><".taint).tainted?) + end + + def test_cgi_escape_html_preserve_frozen + assert_equal(false, CGI::escapeHTML("'&\"><".dup).frozen?) + assert_equal(true, CGI::escapeHTML("'&\"><".freeze).frozen?) + end + def test_cgi_unescapeHTML assert_equal("'&\"><", CGI::unescapeHTML("'&"><")) end -- 2.6.0