[ruby/cgi] Escape/unescape unclosed tags as well

cd1eb08076 Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
2025-09-15 16:44:01 +02:00 · 2025-02-21 15:53:31 +09:00 · 2025-02-21 15:53:31 +09:00 · 237ab21f25
commit 237ab21f25
parent fc60a04de9
2 changed files with 20 additions and 2 deletions
--- a/lib/cgi/util.rb
+++ b/lib/cgi/util.rb
@ -184,7 +184,7 @@ module CGI::Util
  def escapeElement(string, *elements)
    elements = elements[0] if elements[0].kind_of?(Array)
    unless elements.empty?
-      string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do
+      string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do
        CGI.escapeHTML($&)
      end
    else
@ -204,7 +204,7 @@ module CGI::Util
  def unescapeElement(string, *elements)
    elements = elements[0] if elements[0].kind_of?(Array)
    unless elements.empty?
-      string.gsub(/&lt;\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?&gt;/i) do
+      string.gsub(/&lt;\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:&gt;)?/im) do
        unescapeHTML($&)
      end
    else