Skip to content

Commit

Permalink
add Document#entity_expansion_text_limit=
Browse files Browse the repository at this point in the history
## Why?
See: #192
  • Loading branch information
naitoh committed Aug 22, 2024
1 parent 05750a3 commit 8554f73
Show file tree
Hide file tree
Showing 5 changed files with 23 additions and 16 deletions.
8 changes: 6 additions & 2 deletions lib/rexml/attribute.rb
Original file line number Diff line number Diff line change
Expand Up @@ -148,8 +148,12 @@ def to_s
# have been expanded to their values
def value
return @unnormalized if @unnormalized
@unnormalized = Text::unnormalize( @normalized, doctype )
@unnormalized

if @element&.document
@unnormalized = Text::unnormalize(@normalized, doctype, entity_expansion_text_limit: @element.document.entity_expansion_text_limit)
else
@unnormalized = Text::unnormalize(@normalized, doctype)
end
end

# The normalized value of this attribute. That is, the attribute with
Expand Down
2 changes: 2 additions & 0 deletions lib/rexml/document.rb
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ class Document < Element
def initialize( source = nil, context = {} )
@entity_expansion_count = 0
@entity_expansion_limit = Security.entity_expansion_limit
@entity_expansion_text_limit = Security.entity_expansion_text_limit
super()
@context = context
return if source.nil?
Expand Down Expand Up @@ -432,6 +433,7 @@ def Document::entity_expansion_text_limit
end

attr_reader :entity_expansion_count
attr_accessor :entity_expansion_text_limit

def record_entity_expansion
@entity_expansion_count += 1
Expand Down
9 changes: 7 additions & 2 deletions lib/rexml/entity.rb
Original file line number Diff line number Diff line change
Expand Up @@ -71,9 +71,14 @@ def Entity::matches? string
# Evaluates to the unnormalized value of this entity; that is, replacing
# &ent; entities.
def unnormalized
document.record_entity_expansion unless document.nil?
return nil if @value.nil?
@unnormalized = Text::unnormalize(@value, parent)

if document.nil?
@unnormalized = Text::unnormalize(@value, parent)
else
document.record_entity_expansion
@unnormalized = Text::unnormalize(@value, parent, entity_expansion_text_limit: document.entity_expansion_text_limit)
end
end

#once :unnormalized
Expand Down
10 changes: 7 additions & 3 deletions lib/rexml/text.rb
Original file line number Diff line number Diff line change
Expand Up @@ -268,7 +268,11 @@ def inspect
# u = Text.new( "sean russell", false, nil, true )
# u.value #-> "sean russell"
def value
@unnormalized ||= Text::unnormalize( @string, doctype )
if document.nil?
@unnormalized ||= Text::unnormalize(@string, doctype)
else
@unnormalized ||= Text::unnormalize(@string, doctype, entity_expansion_text_limit: document.entity_expansion_text_limit)
end
end

# Sets the contents of this text node. This expects the text to be
Expand Down Expand Up @@ -411,11 +415,11 @@ def Text::normalize( input, doctype=nil, entity_filter=nil )
end

# Unescapes all possible entities
def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil )
def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil, entity_expansion_text_limit: Security.entity_expansion_text_limit )
sum = 0
string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
s = Text.expand($&, doctype, filter)
if sum + s.bytesize > Security.entity_expansion_text_limit
if sum + s.bytesize > entity_expansion_text_limit
raise "entity expansion has grown too large"
else
sum += s.bytesize
Expand Down
10 changes: 1 addition & 9 deletions test/test_document.rb
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,6 @@ def test_new
end

class EntityExpansionLimitTest < Test::Unit::TestCase
def setup
@default_entity_expansion_text_limit = REXML::Security.entity_expansion_text_limit
end

def teardown
REXML::Security.entity_expansion_text_limit = @default_entity_expansion_text_limit
end

class GeneralEntityTest < self
def test_have_value
xml = <<XML
Expand Down Expand Up @@ -138,8 +130,8 @@ def test_entity_expansion_text_limit
<member>&a;</member>
XML

REXML::Security.entity_expansion_text_limit = 90
doc = REXML::Document.new(xml)
doc.entity_expansion_text_limit = 90
assert_equal(90, doc.root.children.first.value.bytesize)
end
end
Expand Down

0 comments on commit 8554f73

Please sign in to comment.