Escape main title

https://hackerone.com/reports/1187156

Author: nobu

lib/rdoc/generator/template/darkfish/index.rhtml

@@ -17,6 +17,6 @@
       main_page = @files.find { |f| f.full_name == @options.main_page } then %>
 <%= main_page.description %>
 <%- else -%>
-<p>This is the API documentation for <%= @title %>.
+<p>This is the API documentation for <%= h @title %>.
 <%- end -%>
 </main>

test/rdoc/test_rdoc_generator_darkfish.rb

@@ -248,6 +248,22 @@ def test_template_stylesheets
     assert_include File.read('index.html'), %Q[href="./#{base}"]
   end
 
+  def test_title
+    title = "RDoc Test".freeze
+    @options.title = title
+    @g.generate
+
+    assert_main_title(File.read('index.html'), title)
+  end
+
+  def test_title_escape
+    title = %[<script>alert("RDoc")</script>].freeze
+    @options.title = title
+    @g.generate
+
+    assert_main_title(File.read('index.html'), title)
+  end
+
   ##
   # Asserts that +filename+ has a link count greater than 1 if hard links to
   # @tmpdir are supported.
@@ -271,4 +287,9 @@ def assert_hard_link filename
                     "#{filename} is not hard-linked"
   end
 
+  def assert_main_title(content, title)
+    title = CGI.escapeHTML(title)
+    assert_equal(title, content[%r[<title>(.*?)<\/title>]im, 1])
+    assert_include(content[%r[<main\s[^<>]*+>\s*(.*?)</main>]im, 1], title)
+  end
 end