Skip to content

Commit

Permalink
add Document#entity_expansion_text_limit=
Browse files Browse the repository at this point in the history
## Why?
See: #192

---------

Co-authored-by: Sutou Kouhei <[email protected]>
  • Loading branch information
naitoh and kou committed Aug 26, 2024
1 parent c42e848 commit d732ec2
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 16 deletions.
5 changes: 3 additions & 2 deletions lib/rexml/attribute.rb
Original file line number Diff line number Diff line change
Expand Up @@ -148,8 +148,9 @@ def to_s
# have been expanded to their values
def value
return @unnormalized if @unnormalized
@unnormalized = Text::unnormalize( @normalized, doctype )
@unnormalized

@unnormalized = Text::unnormalize(@normalized, doctype,
entity_expansion_text_limit: @element&.document&.entity_expansion_text_limit)
end

# The normalized value of this attribute. That is, the attribute with
Expand Down
2 changes: 2 additions & 0 deletions lib/rexml/document.rb
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ class Document < Element
def initialize( source = nil, context = {} )
@entity_expansion_count = 0
@entity_expansion_limit = Security.entity_expansion_limit
@entity_expansion_text_limit = Security.entity_expansion_text_limit
super()
@context = context
return if source.nil?
Expand Down Expand Up @@ -433,6 +434,7 @@ def Document::entity_expansion_text_limit

attr_reader :entity_expansion_count
attr_writer :entity_expansion_limit
attr_accessor :entity_expansion_text_limit

def record_entity_expansion
@entity_expansion_count += 1
Expand Down
7 changes: 5 additions & 2 deletions lib/rexml/entity.rb
Original file line number Diff line number Diff line change
Expand Up @@ -71,9 +71,12 @@ def Entity::matches? string
# Evaluates to the unnormalized value of this entity; that is, replacing
# &ent; entities.
def unnormalized
document.record_entity_expansion unless document.nil?
document&.record_entity_expansion

return nil if @value.nil?
@unnormalized = Text::unnormalize(@value, parent)

@unnormalized = Text::unnormalize(@value, parent,
entity_expansion_text_limit: document&.entity_expansion_text_limit)
end

#once :unnormalized
Expand Down
8 changes: 5 additions & 3 deletions lib/rexml/text.rb
Original file line number Diff line number Diff line change
Expand Up @@ -268,7 +268,8 @@ def inspect
# u = Text.new( "sean russell", false, nil, true )
# u.value #-> "sean russell"
def value
@unnormalized ||= Text::unnormalize( @string, doctype )
@unnormalized ||= Text::unnormalize(@string, doctype,
entity_expansion_text_limit: document&.entity_expansion_text_limit)
end

# Sets the contents of this text node. This expects the text to be
Expand Down Expand Up @@ -411,11 +412,12 @@ def Text::normalize( input, doctype=nil, entity_filter=nil )
end

# Unescapes all possible entities
def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil )
def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil, entity_expansion_text_limit: nil )
entity_expansion_text_limit ||= Security.entity_expansion_text_limit
sum = 0
string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
s = Text.expand($&, doctype, filter)
if sum + s.bytesize > Security.entity_expansion_text_limit
if sum + s.bytesize > entity_expansion_text_limit
raise "entity expansion has grown too large"
else
sum += s.bytesize
Expand Down
10 changes: 1 addition & 9 deletions test/test_document.rb
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,6 @@ def test_new
end

class EntityExpansionLimitTest < Test::Unit::TestCase
def setup
@default_entity_expansion_text_limit = REXML::Security.entity_expansion_text_limit
end

def teardown
REXML::Security.entity_expansion_text_limit = @default_entity_expansion_text_limit
end

class GeneralEntityTest < self
def test_have_value
xml = <<XML
Expand Down Expand Up @@ -138,8 +130,8 @@ def test_entity_expansion_text_limit
<member>&a;</member>
XML

REXML::Security.entity_expansion_text_limit = 90
doc = REXML::Document.new(xml)
doc.entity_expansion_text_limit = 90
assert_equal(90, doc.root.children.first.value.bytesize)
end
end
Expand Down

0 comments on commit d732ec2

Please sign in to comment.