From 498a5a95555b1684eefa10ec0c8e4423f582972d Mon Sep 17 00:00:00 2001
From: Pradyumna Shembekar <pradyumna2905@gmail.com>
Date: Wed, 20 Nov 2019 10:10:18 -0800
Subject: [PATCH 1/2] Escapes HTML content when setting colors.

---
 lib/thor/shell/html.rb  |  4 ++--
 spec/shell/html_spec.rb | 10 ++++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/thor/shell/html.rb b/lib/thor/shell/html.rb
index 0d1862d29..65408fafb 100644
--- a/lib/thor/shell/html.rb
+++ b/lib/thor/shell/html.rb
@@ -51,13 +51,13 @@ class HTML < Basic
       def set_color(string, *colors)
         if colors.all? { |color| color.is_a?(Symbol) || color.is_a?(String) }
           html_colors = colors.map { |color| lookup_color(color) }
-          "<span style=\"#{html_colors.join('; ')};\">#{string}</span>"
+          "<span style=\"#{html_colors.join('; ')};\">#{CGI.escapeHTML(string)}</span>"
         else
           color, bold = colors
           html_color = self.class.const_get(color.to_s.upcase) if color.is_a?(Symbol)
           styles = [html_color]
           styles << BOLD if bold
-          "<span style=\"#{styles.join('; ')};\">#{string}</span>"
+          "<span style=\"#{styles.join('; ')};\">#{CGI.escapeHTML(string)}</span>"
         end
       end
 
diff --git a/spec/shell/html_spec.rb b/spec/shell/html_spec.rb
index 1a6ef8951..d94864e46 100644
--- a/spec/shell/html_spec.rb
+++ b/spec/shell/html_spec.rb
@@ -28,4 +28,14 @@ def shell
       shell.say_status :conflict, "README", :red
     end
   end
+
+  describe "#set_color" do
+    it "escapes HTML content when unsing the default colors" do
+      expect(shell.set_color("<htmlcontent>", :blue)).to eq "<span style=\"color: blue;\">&lt;htmlcontent&gt;</span>"
+    end
+
+    it "escapes HTML content when not using the default colors" do
+      expect(shell.set_color("<htmlcontent>", [:nocolor])).to eq "<span style=\";\">&lt;htmlcontent&gt;</span>"
+    end
+  end
 end

From f1d58221da74bcdb3cbdfc88402fe573be530a21 Mon Sep 17 00:00:00 2001
From: Pradyumna Shembekar <pradyumna2905@gmail.com>
Date: Wed, 20 Nov 2019 10:20:54 -0800
Subject: [PATCH 2/2] Adds `escape_html` method to Thor::Util module

---
 lib/thor/shell/html.rb |  4 ++--
 lib/thor/util.rb       | 16 ++++++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/lib/thor/shell/html.rb b/lib/thor/shell/html.rb
index 65408fafb..352a6f553 100644
--- a/lib/thor/shell/html.rb
+++ b/lib/thor/shell/html.rb
@@ -51,13 +51,13 @@ class HTML < Basic
       def set_color(string, *colors)
         if colors.all? { |color| color.is_a?(Symbol) || color.is_a?(String) }
           html_colors = colors.map { |color| lookup_color(color) }
-          "<span style=\"#{html_colors.join('; ')};\">#{CGI.escapeHTML(string)}</span>"
+          "<span style=\"#{html_colors.join('; ')};\">#{Thor::Util.escape_html(string)}</span>"
         else
           color, bold = colors
           html_color = self.class.const_get(color.to_s.upcase) if color.is_a?(Symbol)
           styles = [html_color]
           styles << BOLD if bold
-          "<span style=\"#{styles.join('; ')};\">#{CGI.escapeHTML(string)}</span>"
+          "<span style=\"#{styles.join('; ')};\">#{Thor::Util.escape_html(string)}</span>"
         end
       end
 
diff --git a/lib/thor/util.rb b/lib/thor/util.rb
index 0d5ed26a6..6e3a545a4 100644
--- a/lib/thor/util.rb
+++ b/lib/thor/util.rb
@@ -263,6 +263,22 @@ def ruby_command
       def escape_globs(path)
         path.to_s.gsub(/[*?{}\[\]]/, '\\\\\\&')
       end
+
+      # Returns a string that has had any HTML characters escaped.
+      #
+      # ==== Examples
+      #
+      #   Thor::Util.escape_html('<div>')   # => "&lt;div&gt;"
+      #
+      # ==== Parameters
+      # String
+      #
+      # ==== Returns
+      # String
+      #
+      def escape_html(string)
+        CGI.escapeHTML(string)
+      end
     end
   end
 end