From 8c07cc4657772d076e994896d8f3618c7c25083f Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Sat, 28 Aug 2021 17:41:47 +0900
Subject: [PATCH 1/3] Escape file names

https://hackerone.com/reports/1321358
---
 .../template/darkfish/_sidebar_pages.rhtml         |  6 +++---
 .../template/darkfish/table_of_contents.rhtml      |  4 ++--
 test/rdoc/test_rdoc_generator_darkfish.rb          | 14 ++++++++++++++
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml b/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml
index 0ed683ca14..3f68f0c0dc 100644
--- a/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml
+++ b/lib/rdoc/generator/template/darkfish/_sidebar_pages.rhtml
@@ -12,18 +12,18 @@
   <%- end.each do |n, files| -%>
     <%- f = files.shift -%>
     <%- if files.empty? -%>
-    <li><a href="<%= rel_prefix %>/<%= f.path %>"><%= h f.page_name %></a>
+    <li><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h f.page_name %></a>
       <%- next -%>
     <%- end -%>
     <li><details<% if dir == n %> open<% end %>><summary><%
     if n == f.page_name
-      %><a href="<%= rel_prefix %>/<%= f.path %>"><%= h n %></a><%
+      %><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h n %></a><%
     else
       %><%= h n %><% files.unshift(f)
     end %></summary>
     <ul class="link-list">
     <%- files.each do |f| -%>
-      <li><a href="<%= rel_prefix %>/<%= f.path %>"><%= h f.page_name %></a>
+      <li><a href="<%= rel_prefix %>/<%= h f.path %>"><%= h f.page_name %></a>
     <%- end -%>
     </ul></details>
   <%- end -%>
diff --git a/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml b/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml
index 303d7016cc..941ff9d630 100644
--- a/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml
+++ b/lib/rdoc/generator/template/darkfish/table_of_contents.rhtml
@@ -8,14 +8,14 @@
 <ul>
 <%- simple_files.sort.each do |file| -%>
   <li class="file">
-    <a href="<%= file.path %>"><%= h file.page_name %></a>
+    <a href="<%= h file.path %>"><%= h file.page_name %></a>
 <%
    # HACK table_of_contents should not exist on Document
    table = file.parse(file.comment).table_of_contents
    unless table.empty? then %>
     <ul>
 <%- table.each do |heading| -%>
-      <li><a href="<%= file.path %>#<%= heading.aref %>"><%= heading.plain_html %></a>
+      <li><a href="<%= h file.path %>#<%= heading.aref %>"><%= heading.plain_html %></a>
 <%-   end -%>
     </ul>
 <%- end -%>
diff --git a/test/rdoc/test_rdoc_generator_darkfish.rb b/test/rdoc/test_rdoc_generator_darkfish.rb
index ae3a4c5ebf..26397bb6cb 100644
--- a/test/rdoc/test_rdoc_generator_darkfish.rb
+++ b/test/rdoc/test_rdoc_generator_darkfish.rb
@@ -233,6 +233,20 @@ def test_generated_method_with_html_tag_yield
     assert_includes method_name, '{ |%&lt;&lt;script&gt;alert(&quot;atui&quot;)&lt;/script&gt;&gt;, yield_arg| ... }'
   end
 
+  def test_generated_filename_with_html_tag
+    @store.add_file '"><em>should be escaped'
+    doc = @store.all_files.last
+    doc.parser = RDoc::Parser::Simple
+
+    @g.generate
+
+    Dir.glob("*.html", base: @tmpdir) do |html|
+      File.read(File.join(@tmpdir, html)).scan(/.*should be escaped.*/) do |line|
+        assert_not_include line, "<em>", html
+      end
+    end
+  end
+
   def test_template_stylesheets
     css = Tempfile.create(%W'hoge .css', Dir.mktmpdir('tmp', '.'))
     File.write(css, '')

From 2ebf8fd51005f389ad9f906311e6266de8e96fec Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Tue, 7 Sep 2021 23:52:13 +0900
Subject: [PATCH 2/3] Escape search results

https://hackerone.com/reports/1321358
---
 .../generator/template/darkfish/_head.rhtml   | 20 +++++++++----------
 .../template/darkfish/js/darkfish.js          |  2 +-
 .../generator/template/darkfish/js/search.js  |  2 +-
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/lib/rdoc/generator/template/darkfish/_head.rhtml b/lib/rdoc/generator/template/darkfish/_head.rhtml
index 4f331245c3..d5aed3e9ef 100644
--- a/lib/rdoc/generator/template/darkfish/_head.rhtml
+++ b/lib/rdoc/generator/template/darkfish/_head.rhtml
@@ -3,18 +3,18 @@
 <title><%= h @title %></title>
 
 <script type="text/javascript">
-  var rdoc_rel_prefix = "<%= asset_rel_prefix %>/";
-  var index_rel_prefix = "<%= rel_prefix %>/";
+  var rdoc_rel_prefix = "<%= h asset_rel_prefix %>/";
+  var index_rel_prefix = "<%= h rel_prefix %>/";
 </script>
 
-<script src="<%= asset_rel_prefix %>/js/navigation.js" defer></script>
-<script src="<%= asset_rel_prefix %>/js/search.js" defer></script>
-<script src="<%= asset_rel_prefix %>/js/search_index.js" defer></script>
-<script src="<%= asset_rel_prefix %>/js/searcher.js" defer></script>
-<script src="<%= asset_rel_prefix %>/js/darkfish.js" defer></script>
+<script src="<%= h asset_rel_prefix %>/js/navigation.js" defer></script>
+<script src="<%= h asset_rel_prefix %>/js/search.js" defer></script>
+<script src="<%= h asset_rel_prefix %>/js/search_index.js" defer></script>
+<script src="<%= h asset_rel_prefix %>/js/searcher.js" defer></script>
+<script src="<%= h asset_rel_prefix %>/js/darkfish.js" defer></script>
 
-<link href="<%= asset_rel_prefix %>/css/fonts.css" rel="stylesheet">
-<link href="<%= asset_rel_prefix %>/css/rdoc.css" rel="stylesheet">
+<link href="<%= h asset_rel_prefix %>/css/fonts.css" rel="stylesheet">
+<link href="<%= h asset_rel_prefix %>/css/rdoc.css" rel="stylesheet">
 <%- @options.template_stylesheets.each do |stylesheet| -%>
-<link href="<%= asset_rel_prefix %>/<%= File.basename stylesheet %>" rel="stylesheet">
+<link href="<%= h asset_rel_prefix %>/<%= File.basename stylesheet %>" rel="stylesheet">
 <%- end -%>
diff --git a/lib/rdoc/generator/template/darkfish/js/darkfish.js b/lib/rdoc/generator/template/darkfish/js/darkfish.js
index 111bbf8eb9..d0c9467751 100644
--- a/lib/rdoc/generator/template/darkfish/js/darkfish.js
+++ b/lib/rdoc/generator/template/darkfish/js/darkfish.js
@@ -54,7 +54,7 @@ function hookSearch() {
     var html = '';
 
     // TODO add relative path to <script> per-page
-    html += '<p class="search-match"><a href="' + index_rel_prefix + result.path + '">' + this.hlt(result.title);
+    html += '<p class="search-match"><a href="' + index_rel_prefix + this.escapeHTML(result.path) + '">' + this.hlt(result.title);
     if (result.params)
       html += '<span class="params">' + result.params + '</span>';
     html += '</a>';
diff --git a/lib/rdoc/generator/template/darkfish/js/search.js b/lib/rdoc/generator/template/darkfish/js/search.js
index b558ca5b4f..58e52afecf 100644
--- a/lib/rdoc/generator/template/darkfish/js/search.js
+++ b/lib/rdoc/generator/template/darkfish/js/search.js
@@ -101,7 +101,7 @@ Search.prototype = Object.assign({}, Navigation, new function() {
   }
 
   this.escapeHTML = function(html) {
-    return html.replace(/[&<>]/g, function(c) {
+    return html.replace(/[&<>"`']/g, function(c) {
       return '&#' + c.charCodeAt(0) + ';';
     });
   }

From 13b9da5932bb7b8a2d8b008e7452ff67037a2251 Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Fri, 7 Oct 2022 11:38:21 +0900
Subject: [PATCH 3/3] Special characters are prohibited as filename on Windows

---
 test/rdoc/test_rdoc_generator_darkfish.rb | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/test/rdoc/test_rdoc_generator_darkfish.rb b/test/rdoc/test_rdoc_generator_darkfish.rb
index 26397bb6cb..1906ef77b7 100644
--- a/test/rdoc/test_rdoc_generator_darkfish.rb
+++ b/test/rdoc/test_rdoc_generator_darkfish.rb
@@ -234,7 +234,16 @@ def test_generated_method_with_html_tag_yield
   end
 
   def test_generated_filename_with_html_tag
-    @store.add_file '"><em>should be escaped'
+    filename = '"><em>should be escaped'
+    begin # in @tmpdir
+      File.write(filename, '')
+    rescue SystemCallError
+      # ", <, > chars are prohibited as filename
+      return
+    else
+      File.unlink(filename)
+    end
+    @store.add_file filename
     doc = @store.all_files.last
     doc.parser = RDoc::Parser::Simple