Escapes HTML content when setting colors.

pdx91 · pdx91 · commit 498a5a95555b · 2019-11-20T10:10:18.000-08:00
diff --git a/lib/thor/shell/html.rb b/lib/thor/shell/html.rb
@@ -51,13 +51,13 @@ class HTML < Basic
       def set_color(string, *colors)
         if colors.all? { |color| color.is_a?(Symbol) || color.is_a?(String) }
           html_colors = colors.map { |color| lookup_color(color) }
-          "<span style=\"#{html_colors.join('; ')};\">#{string}</span>"
+          "<span style=\"#{html_colors.join('; ')};\">#{CGI.escapeHTML(string)}</span>"
         else
           color, bold = colors
           html_color = self.class.const_get(color.to_s.upcase) if color.is_a?(Symbol)
           styles = [html_color]
           styles << BOLD if bold
-          "<span style=\"#{styles.join('; ')};\">#{string}</span>"
+          "<span style=\"#{styles.join('; ')};\">#{CGI.escapeHTML(string)}</span>"
         end
       end
 
diff --git a/spec/shell/html_spec.rb b/spec/shell/html_spec.rb
@@ -28,4 +28,14 @@ def shell
       shell.say_status :conflict, "README", :red
     end
   end
+
+  describe "#set_color" do
+    it "escapes HTML content when unsing the default colors" do
+      expect(shell.set_color("<htmlcontent>", :blue)).to eq "<span style=\"color: blue;\">&lt;htmlcontent&gt;</span>"
+    end
+
+    it "escapes HTML content when not using the default colors" do
+      expect(shell.set_color("<htmlcontent>", [:nocolor])).to eq "<span style=\";\">&lt;htmlcontent&gt;</span>"
+    end
+  end
 end
