Fix a security issue using :quote with :escape_html

robin850 · robin850 · commit a699c82292b1 · 2020-12-15T21:01:19.000+01:00
Reported by @johan-smits.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## Version 3.5.1 (Security)
+
+* Fix a security vulnerability using `:quote` in combination with the
+  `:escape_html` option.
+
+  Reported by *Johan Smits*.
+
 ## Version 3.5.0
 
 * Avoid mutating the options hash passed to a render object.
diff --git a/ext/redcarpet/html.c b/ext/redcarpet/html.c
@@ -255,8 +255,15 @@ rndr_quote(struct buf *ob, const struct buf *text, void *opaque)
 	if (!text || !text->size)
 		return 0;
 
+	struct html_renderopt *options = opaque;
+
 	BUFPUTSL(ob, "<q>");
-	bufput(ob, text->data, text->size);
+
+	if (options->flags & HTML_ESCAPE)
+		escape_html(ob, text->data, text->size);
+	else
+		bufput(ob, text->data, text->size);
+
 	BUFPUTSL(ob, "</q>");
 
 	return 1;
diff --git a/lib/redcarpet.rb b/lib/redcarpet.rb
@@ -2,7 +2,7 @@
 require 'redcarpet/compat'
 
 module Redcarpet
-  VERSION = '3.5.0'
+  VERSION = '3.5.1'
 
   class Markdown
     attr_reader :renderer
diff --git a/redcarpet.gemspec b/redcarpet.gemspec
@@ -1,10 +1,10 @@
 # encoding: utf-8
 Gem::Specification.new do |s|
   s.name = 'redcarpet'
-  s.version = '3.5.0'
+  s.version = '3.5.1'
   s.summary = "Markdown that smells nice"
   s.description = 'A fast, safe and extensible Markdown to (X)HTML parser'
-  s.date = '2019-07-29'
+  s.date = '2020-12-15'
   s.email = 'vicent@github.com'
   s.homepage = 'http://github.com/vmg/redcarpet'
   s.authors = ["Natacha Porté", "Vicent Martí"]
diff --git a/test/markdown_test.rb b/test/markdown_test.rb
@@ -220,6 +220,16 @@ def test_quote_flag_works
     assert_equal '<p>this is a <q>quote</q></p>', output
   end
 
+  def test_quote_flag_honors_escape_html
+    text = 'We are not "<svg/onload=pwned>"'
+
+    output_enabled  = render(text, with: [:quote, :escape_html])
+    output_disabled = render(text, with: [:quote])
+
+    assert_equal "<p>We are not <q>&lt;svg/onload=pwned&gt;</q></p>", output_enabled
+    assert_equal "<p>We are not <q><svg/onload=pwned></q></p>", output_disabled
+  end
+
   def test_that_fenced_flag_works
     text = <<-fenced.strip_heredoc
       This is a simple test
