From 37a7775534ee5e08b11902615c30cda17aa0160f Mon Sep 17 00:00:00 2001 From: Hiroshi SHIBATA Date: Fri, 21 Feb 2025 16:01:17 +0900 Subject: [PATCH 1/2] Use String#concat instead of String#+ for reducing cpu usage Co-authored-by: "Yusuke Endoh" --- lib/cgi/cookie.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb index 9498e2f..1c4ef6a 100644 --- a/lib/cgi/cookie.rb +++ b/lib/cgi/cookie.rb @@ -190,9 +190,10 @@ def self.parse(raw_cookie) values ||= "" values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) } if cookies.has_key?(name) - values = cookies[name].value + values + cookies[name].concat(values) + else + cookies[name] = Cookie.new(name, *values) end - cookies[name] = Cookie.new(name, *values) end cookies From c9d131112c7d614892893469310297d470c7d0d2 Mon Sep 17 00:00:00 2001 From: Hiroshi SHIBATA Date: Fri, 21 Feb 2025 15:53:31 +0900 Subject: [PATCH 2/2] Escape/unescape unclosed tags as well Co-authored-by: Nobuyoshi Nakada --- lib/cgi/util.rb | 4 ++-- test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb index 4986e54..5f12eae 100644 --- a/lib/cgi/util.rb +++ b/lib/cgi/util.rb @@ -184,7 +184,7 @@ def unescapeHTML(string) def escapeElement(string, *elements) elements = elements[0] if elements[0].kind_of?(Array) unless elements.empty? - string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do + string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do CGI.escapeHTML($&) end else @@ -204,7 +204,7 @@ def escapeElement(string, *elements) def unescapeElement(string, *elements) elements = elements[0] if elements[0].kind_of?(Array) unless elements.empty? - string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do + string.gsub(/<\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:>)?/im) do unescapeHTML($&) end else diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb index b0612fc..bff77f7 100644 --- a/test/cgi/test_cgi_util.rb +++ b/test/cgi/test_cgi_util.rb @@ -269,6 +269,14 @@ def test_cgi_escapeElement assert_equal("
<A HREF="url"></A>", escapeElement('
', ["A", "IMG"])) assert_equal("
<A HREF="url"></A>", escape_element('
', "A", "IMG")) assert_equal("
<A HREF="url"></A>", escape_element('
', ["A", "IMG"])) + + assert_equal("<A <A HREF="url"></A>", escapeElement('', "A", "IMG")) + assert_equal("<A <A HREF="url"></A>", escapeElement('', ["A", "IMG"])) + assert_equal("<A <A HREF="url"></A>", escape_element('', "A", "IMG")) + assert_equal("<A <A HREF="url"></A>", escape_element('', ["A", "IMG"])) + + assert_equal("<A <A ", escapeElement('', unescapeElement(escapeHTML('
'), ["A", "IMG"])) assert_equal('<BR>', unescape_element(escapeHTML('
'), "A", "IMG")) assert_equal('<BR>', unescape_element(escapeHTML('
'), ["A", "IMG"])) + + assert_equal('', unescapeElement(escapeHTML(''), "A", "IMG")) + assert_equal('', unescapeElement(escapeHTML(''), ["A", "IMG"])) + assert_equal('', unescape_element(escapeHTML(''), "A", "IMG")) + assert_equal('', unescape_element(escapeHTML(''), ["A", "IMG"])) + + assert_equal('