inkmark 0.1.2 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/Cargo.lock +1 -1
- data/ext/inkmark/Cargo.toml +1 -1
- data/ext/inkmark/src/highlight.rs +26 -1
- data/lib/inkmark/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: defe040ab5efe3959229a885dcfd613bcd7bec9a264a7eb5bd6a441221af3e36
|
|
4
|
+
data.tar.gz: a3bd5205a96103fb12392155e548014824f90af1e91a130c52d96715abc63295
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 21536bdb30970d9f7bb58b002d35965a0ea6961a307f579229bc4eb34c5dabffd0a9b625aba12202e820166fb2efc5a35797e7714a7bcaf68be6f52afe14bef1
|
|
7
|
+
data.tar.gz: 022bfcb26faa0b74031f6984fffe894ff3038ea65195572aac17026fa6566d25a18bfbb766631b4e5d39b05fad65dcbbf4dbf932ac20c424127f36dc31b3e9f3
|
data/CHANGELOG.md
CHANGED
data/Cargo.lock
CHANGED
data/ext/inkmark/Cargo.toml
CHANGED
|
@@ -15,6 +15,7 @@ use std::sync::OnceLock;
|
|
|
15
15
|
|
|
16
16
|
use magnus::{Error, Ruby};
|
|
17
17
|
use pulldown_cmark::{CodeBlockKind, CowStr, Event, Tag, TagEnd};
|
|
18
|
+
use pulldown_cmark_escape::escape_html;
|
|
18
19
|
use syntect::highlighting::ThemeSet;
|
|
19
20
|
use syntect::html::{css_for_theme_with_class_style, ClassStyle, ClassedHTMLGenerator};
|
|
20
21
|
use syntect::parsing::SyntaxSet;
|
|
@@ -87,7 +88,15 @@ fn highlight_code(code: &str, lang: &str, ss: &SyntaxSet) -> String {
|
|
|
87
88
|
|
|
88
89
|
// Wrap each line in <span class="line"> so CSS can add line numbers
|
|
89
90
|
// via counter()/::before, highlight specific lines on hover, etc.
|
|
90
|
-
|
|
91
|
+
//
|
|
92
|
+
// `lang` is the fenced code block's info string—attacker-controlled
|
|
93
|
+
// markdown. HTML-escape it before it enters the class attribute so a
|
|
94
|
+
// crafted language tag like `x"><img onerror=...>` can't break out of
|
|
95
|
+
// the attribute and inject markup (this Html event bypasses
|
|
96
|
+
// suppress_raw_html, so escaping here is the only defense).
|
|
97
|
+
let mut buf = String::from("<pre><code class=\"language-");
|
|
98
|
+
let _ = escape_html(&mut buf, lang);
|
|
99
|
+
buf.push_str("\">");
|
|
91
100
|
for line in highlighted.split('\n') {
|
|
92
101
|
if !line.is_empty() {
|
|
93
102
|
buf.push_str("<span class=\"line\">");
|
|
@@ -149,6 +158,22 @@ mod tests {
|
|
|
149
158
|
assert!(html.contains("<pre><code"));
|
|
150
159
|
}
|
|
151
160
|
|
|
161
|
+
#[test]
|
|
162
|
+
fn escapes_malicious_language_tag_in_class_attribute() {
|
|
163
|
+
// The info string is attacker-controlled markdown. A crafted
|
|
164
|
+
// language tag must not break out of the class attribute.
|
|
165
|
+
let payload = "x\"><img src=a onerror=alert(1)>";
|
|
166
|
+
let html = highlight_code("let v = 1;\n", payload, syntax_set());
|
|
167
|
+
assert!(
|
|
168
|
+
!html.contains("\"><img src=a onerror="),
|
|
169
|
+
"language tag must be escaped, got: {html}"
|
|
170
|
+
);
|
|
171
|
+
assert!(
|
|
172
|
+
html.contains("language-x"><img"),
|
|
173
|
+
"expected escaped class attribute, got: {html}"
|
|
174
|
+
);
|
|
175
|
+
}
|
|
176
|
+
|
|
152
177
|
#[test]
|
|
153
178
|
fn unknown_language_falls_back_to_plain_text() {
|
|
154
179
|
let html = highlight_code("hello\n", "nonexistent-lang-xyz", syntax_set());
|
data/lib/inkmark/version.rb
CHANGED