inkmark 0.1.2 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: aec483333178a847396130007073b25d4c6ca453bbbc5b3338d2314a4b1dc161
4
- data.tar.gz: aa8fe81268c5cd018708744cec3098733410f2f057ab1e21593f3ca2d5d7a5d8
3
+ metadata.gz: defe040ab5efe3959229a885dcfd613bcd7bec9a264a7eb5bd6a441221af3e36
4
+ data.tar.gz: a3bd5205a96103fb12392155e548014824f90af1e91a130c52d96715abc63295
5
5
  SHA512:
6
- metadata.gz: 21233618a533d15f8529ed9e7739e34d81344d3c5439c25648e0ecf69173b4c79a23cd5a6f1548e5a7a488d46c968311e2d79058c12b69b98b3f45130a241e9e
7
- data.tar.gz: 5cc63dd2c016d6446e35123d06f6e696816217ea0c6a9204d4eefecc846de46439ce16fdb3832e021441922bf467dc009e883df48ade1a3be61233420ab471d2
6
+ metadata.gz: 21536bdb30970d9f7bb58b002d35965a0ea6961a307f579229bc4eb34c5dabffd0a9b625aba12202e820166fb2efc5a35797e7714a7bcaf68be6f52afe14bef1
7
+ data.tar.gz: 022bfcb26faa0b74031f6984fffe894ff3038ea65195572aac17026fa6566d25a18bfbb766631b4e5d39b05fad65dcbbf4dbf932ac20c424127f36dc31b3e9f3
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## [0.1.3] - 2026-06-21
2
+
3
+ - Fix possible XSS via unescaped language tag in syntax-highlighted code blocks.
4
+
1
5
  ## [0.1.2] - 2026-06-21
2
6
 
3
7
  - Fix `Inkmark.truncate_markdown` raising `TypeError` when called without explicit `options:`.
data/Cargo.lock CHANGED
@@ -331,7 +331,7 @@ dependencies = [
331
331
 
332
332
  [[package]]
333
333
  name = "inkmark"
334
- version = "0.1.2"
334
+ version = "0.1.3"
335
335
  dependencies = [
336
336
  "deunicode",
337
337
  "emojis",
@@ -1,6 +1,6 @@
1
1
  [package]
2
2
  name = "inkmark"
3
- version = "0.1.2"
3
+ version = "0.1.3"
4
4
  edition = "2021"
5
5
  authors = ["Yaroslav Markin <yaroslav@markin.net>"]
6
6
  license = "MIT"
@@ -15,6 +15,7 @@ use std::sync::OnceLock;
15
15
 
16
16
  use magnus::{Error, Ruby};
17
17
  use pulldown_cmark::{CodeBlockKind, CowStr, Event, Tag, TagEnd};
18
+ use pulldown_cmark_escape::escape_html;
18
19
  use syntect::highlighting::ThemeSet;
19
20
  use syntect::html::{css_for_theme_with_class_style, ClassStyle, ClassedHTMLGenerator};
20
21
  use syntect::parsing::SyntaxSet;
@@ -87,7 +88,15 @@ fn highlight_code(code: &str, lang: &str, ss: &SyntaxSet) -> String {
87
88
 
88
89
  // Wrap each line in <span class="line"> so CSS can add line numbers
89
90
  // via counter()/::before, highlight specific lines on hover, etc.
90
- let mut buf = format!("<pre><code class=\"language-{lang}\">");
91
+ //
92
+ // `lang` is the fenced code block's info string—attacker-controlled
93
+ // markdown. HTML-escape it before it enters the class attribute so a
94
+ // crafted language tag like `x"><img onerror=...>` can't break out of
95
+ // the attribute and inject markup (this Html event bypasses
96
+ // suppress_raw_html, so escaping here is the only defense).
97
+ let mut buf = String::from("<pre><code class=\"language-");
98
+ let _ = escape_html(&mut buf, lang);
99
+ buf.push_str("\">");
91
100
  for line in highlighted.split('\n') {
92
101
  if !line.is_empty() {
93
102
  buf.push_str("<span class=\"line\">");
@@ -149,6 +158,22 @@ mod tests {
149
158
  assert!(html.contains("<pre><code"));
150
159
  }
151
160
 
161
+ #[test]
162
+ fn escapes_malicious_language_tag_in_class_attribute() {
163
+ // The info string is attacker-controlled markdown. A crafted
164
+ // language tag must not break out of the class attribute.
165
+ let payload = "x\"><img src=a onerror=alert(1)>";
166
+ let html = highlight_code("let v = 1;\n", payload, syntax_set());
167
+ assert!(
168
+ !html.contains("\"><img src=a onerror="),
169
+ "language tag must be escaped, got: {html}"
170
+ );
171
+ assert!(
172
+ html.contains("language-x&quot;&gt;&lt;img"),
173
+ "expected escaped class attribute, got: {html}"
174
+ );
175
+ }
176
+
152
177
  #[test]
153
178
  fn unknown_language_falls_back_to_plain_text() {
154
179
  let html = highlight_code("hello\n", "nonexistent-lang-xyz", syntax_set());
@@ -2,5 +2,5 @@
2
2
 
3
3
  class Inkmark
4
4
  # Current gem version.
5
- VERSION = "0.1.2"
5
+ VERSION = "0.1.3"
6
6
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: inkmark
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.2
4
+ version: 0.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Yaroslav Markin