From 10a129cee72512315e84d5b29a8ca471058e80ff Mon Sep 17 00:00:00 2001 From: nobu Date: Tue, 22 Dec 2015 05:31:31 +0000 Subject: [PATCH] escape.c: should not freeze * ext/cgi/escape/escape.c (optimized_escape_html): CGI.escapeHTML should return unfrozen new string. [ruby-core:72426] [Bug #11858] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53234 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 6 ++++++ ext/cgi/escape/escape.c | 4 ++-- test/cgi/test_cgi_util.rb | 32 ++++++++++++++++++++++++-------- 3 files changed, 32 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 03beda6705..3087a4cd95 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +Tue Dec 22 14:31:28 2015 Toru Iwase + + * ext/cgi/escape/escape.c (optimized_escape_html): CGI.escapeHTML + should return unfrozen new string. + [ruby-core:72426] [Bug #11858] + Tue Dec 22 05:39:58 2015 Takashi Kokubun * ext/cgi/escape/escape.c (preserve_original_state): Preserve diff --git a/ext/cgi/escape/escape.c b/ext/cgi/escape/escape.c index 939b054ad2..e8f64f6dcc 100644 --- a/ext/cgi/escape/escape.c +++ b/ext/cgi/escape/escape.c @@ -30,7 +30,7 @@ preserve_original_state(VALUE orig, VALUE dest) { rb_enc_associate(dest, rb_enc_get(orig)); - FL_SET_RAW(dest, FL_TEST_RAW(orig, FL_FREEZE|FL_TAINT)); + RB_OBJ_INFECT_RAW(dest, orig); } static VALUE @@ -69,7 +69,7 @@ optimized_escape_html(VALUE str) return dest; } else { - return str; + return rb_str_dup(str); } } diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb index 08c2ed2056..5565afe9c1 100644 --- a/test/cgi/test_cgi_util.rb +++ b/test/cgi/test_cgi_util.rb @@ -62,20 +62,36 @@ class CGIUtilTest < Test::Unit::TestCase assert_equal("'&"><", CGI::escapeHTML("'&\"><")) end + def test_cgi_escape_html_duplicated + orig = "Ruby".force_encoding("US-ASCII") + str = CGI::escapeHTML(orig) + assert_equal(orig, str) + assert_not_same(orig, str) + end + + def assert_cgi_escape_html_preserve_encoding(str, encoding) + assert_equal(encoding, CGI::escapeHTML(str.dup.force_encoding(encoding)).encoding) + end + def test_cgi_escape_html_preserve_encoding - assert_equal(Encoding::US_ASCII, CGI::escapeHTML("'&\"><".force_encoding("US-ASCII")).encoding) - assert_equal(Encoding::ASCII_8BIT, CGI::escapeHTML("'&\"><".force_encoding("ASCII-8BIT")).encoding) - assert_equal(Encoding::UTF_8, CGI::escapeHTML("'&\"><".force_encoding("UTF-8")).encoding) + Encoding.list do |enc| + assert_cgi_escape_html_preserve_encoding("'&\"><", enc) + assert_cgi_escape_html_preserve_encoding("Ruby", enc) + end end def test_cgi_escape_html_preserve_tainted - assert_equal(false, CGI::escapeHTML("'&\"><").tainted?) - assert_equal(true, CGI::escapeHTML("'&\"><".taint).tainted?) + assert_not_predicate CGI::escapeHTML("'&\"><"), :tainted? + assert_predicate CGI::escapeHTML("'&\"><".taint), :tainted? + assert_not_predicate CGI::escapeHTML("Ruby"), :tainted? + assert_predicate CGI::escapeHTML("Ruby".taint), :tainted? end - def test_cgi_escape_html_preserve_frozen - assert_equal(false, CGI::escapeHTML("'&\"><".dup).frozen?) - assert_equal(true, CGI::escapeHTML("'&\"><".freeze).frozen?) + def test_cgi_escape_html_dont_freeze + assert_not_predicate CGI::escapeHTML("'&\"><".dup), :frozen? + assert_not_predicate CGI::escapeHTML("'&\"><".freeze), :frozen? + assert_not_predicate CGI::escapeHTML("Ruby".dup), :frozen? + assert_not_predicate CGI::escapeHTML("Ruby".freeze), :frozen? end def test_cgi_unescapeHTML