diff --git a/CHANGELOG.md b/CHANGELOG.md index e7203c68..4ff6958a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## Version 3.5.1 (Security) + +* Fix a security vulnerability using `:quote` in combination with the + `:escape_html` option. + + Reported by *Johan Smits*. + ## Version 3.5.0 * Avoid mutating the options hash passed to a render object. diff --git a/ext/redcarpet/html.c b/ext/redcarpet/html.c index 805ddd8e..785f780f 100644 --- a/ext/redcarpet/html.c +++ b/ext/redcarpet/html.c @@ -255,8 +255,15 @@ rndr_quote(struct buf *ob, const struct buf *text, void *opaque) if (!text || !text->size) return 0; + struct html_renderopt *options = opaque; + BUFPUTSL(ob, ""); - bufput(ob, text->data, text->size); + + if (options->flags & HTML_ESCAPE) + escape_html(ob, text->data, text->size); + else + bufput(ob, text->data, text->size); + BUFPUTSL(ob, ""); return 1; diff --git a/lib/redcarpet.rb b/lib/redcarpet.rb index 4a494a43..c166147b 100644 --- a/lib/redcarpet.rb +++ b/lib/redcarpet.rb @@ -2,7 +2,7 @@ require 'redcarpet/compat' module Redcarpet - VERSION = '3.5.0' + VERSION = '3.5.1' class Markdown attr_reader :renderer diff --git a/redcarpet.gemspec b/redcarpet.gemspec index bb0453b7..322782b9 100644 --- a/redcarpet.gemspec +++ b/redcarpet.gemspec @@ -1,10 +1,10 @@ # encoding: utf-8 Gem::Specification.new do |s| s.name = 'redcarpet' - s.version = '3.5.0' + s.version = '3.5.1' s.summary = "Markdown that smells nice" s.description = 'A fast, safe and extensible Markdown to (X)HTML parser' - s.date = '2019-07-29' + s.date = '2020-12-15' s.email = 'vicent@github.com' s.homepage = 'http://github.com/vmg/redcarpet' s.authors = ["Natacha Porté", "Vicent Martí"] diff --git a/test/markdown_test.rb b/test/markdown_test.rb index 4347be9b..68de1255 100644 --- a/test/markdown_test.rb +++ b/test/markdown_test.rb @@ -220,6 +220,16 @@ def test_quote_flag_works assert_equal '

this is a quote

', output end + def test_quote_flag_honors_escape_html + text = 'We are not ""' + + output_enabled = render(text, with: [:quote, :escape_html]) + output_disabled = render(text, with: [:quote]) + + assert_equal "

We are not <svg/onload=pwned>

", output_enabled + assert_equal "

We are not

", output_disabled + end + def test_that_fenced_flag_works text = <<-fenced.strip_heredoc This is a simple test