Headline
CVE-2020-26298: Fix a security issue using `:quote` with `:escape_html` · vmg/redcarpet@a699c82
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the :escape_html option was being used. This is fixed in version 3.5.1 by the referenced commit.
@@ -220,6 +220,16 @@ def test_quote_flag_works assert_equal '<p>this is a <q>quote</q></p>’, output end
def test_quote_flag_honors_escape_html text = ‘We are not "<svg/onload=pwned>"’
output_enabled = render(text, with: [:quote, :escape_html]) output_disabled = render(text, with: [:quote])
assert_equal "<p>We are not <q><svg/onload=pwned></q></p>", output_enabled assert_equal "<p>We are not <q><svg/onload=pwned></q></p>", output_disabled end
def test_that_fenced_flag_works text = <<-fenced.strip_heredoc This is a simple test