Merge pull request #528 from aycabta/escape-yield-parameters

aycabta · web-flow · commit c0ad1534775c · 2017-09-28T02:21:57.000+09:00
Escape yield parameters
diff --git a/lib/rdoc/generator/template/darkfish/class.rhtml b/lib/rdoc/generator/template/darkfish/class.rhtml
@@ -114,7 +114,7 @@
         <% else %>
         <div class="method-heading">
           <span class="method-name"><%= h method.name %></span><span
-            class="method-args"><%= method.param_seq %></span>
+            class="method-args"><%= h method.param_seq %></span>
           <% if method.token_stream then %>
           <span class="method-click-advice">click to toggle source</span>
           <% end %>
diff --git a/test/test_rdoc_generator_darkfish.rb b/test/test_rdoc_generator_darkfish.rb
@@ -43,10 +43,13 @@ def setup
 
     @meth = RDoc::AnyMethod.new nil, 'method'
     @meth_bang = RDoc::AnyMethod.new nil, 'method!'
+    @meth_with_html_tag_yield = RDoc::AnyMethod.new nil, 'method_with_html_tag_yield'
+    @meth_with_html_tag_yield.block_params = '%<<script>alert("atui")</script>>, yield_arg'
     @attr = RDoc::Attr.new nil, 'attr', 'RW', ''
 
     @klass.add_method @meth
     @klass.add_method @meth_bang
+    @klass.add_method @meth_with_html_tag_yield
     @klass.add_attribute @attr
 
     @ignored = @top_level.add_class RDoc::NormalClass, 'Ignored'
@@ -167,7 +170,7 @@ def test_setup
     assert_equal [@klass_alias, @ignored, @klass, @object],
                  @g.classes.sort_by { |klass| klass.full_name }
     assert_equal [@top_level],                           @g.files
-    assert_equal [@meth, @meth, @meth_bang, @meth_bang], @g.methods
+    assert_equal [@meth, @meth, @meth_bang, @meth_bang, @meth_with_html_tag_yield, @meth_with_html_tag_yield], @g.methods
     assert_equal [@klass_alias, @klass, @object], @g.modsort
   end
 
@@ -199,6 +202,23 @@ def test_template_for_partial
     assert_same template, @g.send(:template_for, partial)
   end
 
+  def test_generated_method_with_html_tag_yield
+    top_level = @store.add_file 'file.rb'
+    top_level.add_class @klass.class, @klass.name
+
+    @g.generate
+
+    path = File.join @tmpdir, 'A.html'
+
+    f = open(path)
+    internal_file = f.read
+    method_name_index = internal_file.index('<span class="method-name">method_with_html_tag_yield</span>')
+    last_of_method_name_index = method_name_index + internal_file[method_name_index..-1].index('<div class="method-description">') - 1
+    method_name = internal_file[method_name_index..last_of_method_name_index]
+
+    assert_includes method_name, '{ |%&lt;&lt;script&gt;alert(&quot;atui&quot;)&lt;/script&gt;&gt;, yield_arg| ... }'
+  end
+
   ##
   # Asserts that +filename+ has a link count greater than 1 if hard links to
   # @tmpdir are supported.
