From a699c82292b17c8e6a62e1914d5eccc252272793 Mon Sep 17 00:00:00 2001
From: Robin Dupret <robin.dupret@hey.com>
Date: Tue, 15 Dec 2020 20:57:32 +0100
Subject: [PATCH] Fix a security issue using `:quote` with `:escape_html`

Reported by @johan-smits.
---
 CHANGELOG.md          |  7 +++++++
 ext/redcarpet/html.c  |  9 ++++++++-
 lib/redcarpet.rb      |  2 +-
 redcarpet.gemspec     |  4 ++--
 test/markdown_test.rb | 10 ++++++++++
 5 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e7203c68..4ff6958a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## Version 3.5.1 (Security)
+
+* Fix a security vulnerability using `:quote` in combination with the
+  `:escape_html` option.
+
+  Reported by *Johan Smits*.
+
 ## Version 3.5.0
 
 * Avoid mutating the options hash passed to a render object.
diff --git a/ext/redcarpet/html.c b/ext/redcarpet/html.c
index 805ddd8e..785f780f 100644
--- a/ext/redcarpet/html.c
+++ b/ext/redcarpet/html.c
@@ -255,8 +255,15 @@ rndr_quote(struct buf *ob, const struct buf *text, void *opaque)
 	if (!text || !text->size)
 		return 0;
 
+	struct html_renderopt *options = opaque;
+
 	BUFPUTSL(ob, "<q>");
-	bufput(ob, text->data, text->size);
+
+	if (options->flags & HTML_ESCAPE)
+		escape_html(ob, text->data, text->size);
+	else
+		bufput(ob, text->data, text->size);
+
 	BUFPUTSL(ob, "</q>");
 
 	return 1;
diff --git a/lib/redcarpet.rb b/lib/redcarpet.rb
index 4a494a43..c166147b 100644
--- a/lib/redcarpet.rb
+++ b/lib/redcarpet.rb
@@ -2,7 +2,7 @@
 require 'redcarpet/compat'
 
 module Redcarpet
-  VERSION = '3.5.0'
+  VERSION = '3.5.1'
 
   class Markdown
     attr_reader :renderer
diff --git a/redcarpet.gemspec b/redcarpet.gemspec
index bb0453b7..322782b9 100644
--- a/redcarpet.gemspec
+++ b/redcarpet.gemspec
@@ -1,10 +1,10 @@
 # encoding: utf-8
 Gem::Specification.new do |s|
   s.name = 'redcarpet'
-  s.version = '3.5.0'
+  s.version = '3.5.1'
   s.summary = "Markdown that smells nice"
   s.description = 'A fast, safe and extensible Markdown to (X)HTML parser'
-  s.date = '2019-07-29'
+  s.date = '2020-12-15'
   s.email = 'vicent@github.com'
   s.homepage = 'http://github.com/vmg/redcarpet'
   s.authors = ["Natacha Porté", "Vicent Martí"]
diff --git a/test/markdown_test.rb b/test/markdown_test.rb
index 4347be9b..68de1255 100644
--- a/test/markdown_test.rb
+++ b/test/markdown_test.rb
@@ -220,6 +220,16 @@ def test_quote_flag_works
     assert_equal '<p>this is a <q>quote</q></p>', output
   end
 
+  def test_quote_flag_honors_escape_html
+    text = 'We are not "<svg/onload=pwned>"'
+
+    output_enabled  = render(text, with: [:quote, :escape_html])
+    output_disabled = render(text, with: [:quote])
+
+    assert_equal "<p>We are not <q>&lt;svg/onload=pwned&gt;</q></p>", output_enabled
+    assert_equal "<p>We are not <q><svg/onload=pwned></q></p>", output_disabled
+  end
+
   def test_that_fenced_flag_works
     text = <<-fenced.strip_heredoc
       This is a simple test