XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256)

The exploit exists in `paragraph` formatting that allows malicious code to be injected into the generated documentation. PoC ---- For example, let's create the `example` file with the following content: ``` \x[\<script>alert(1);</script>\] ``` Now, run rdoc: ```sh rdoc --all ``` The output html will have the following injected javascript code: ```html <main role="main" aria-label="Page example"> <p>x[<script>alert(1);</script>]</p> </main> ``` Solution -------- I may be wrong with the solution, but I want to be more helpful :) At first glance, the vulnerable code is here: ```rb def accept_paragraph paragraph @res << "\n<p>" text = paragraph.text @hard_break text = text.gsub(/\r?\n/, ' ') @res << to_html(text) # <====== CGI.escapeHTML(text)) ??? @res << "</p>\n" end ``` I suppose we should sanitize the output. For example, after changing `text` to `CGI.escapeHTML(text)` I've got the following result: ```html <main role="main" aria-label="Page example"> <p>x[&lt;script&gt;alert(1);&lt;/script&gt;]</p> </main> ``` I hope this doesn't break anything. ^_^ ## Impact A cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload.