rustdoc: HTML escape crate version

ollie27 · ollie27 · commit 3c97f8ad12e3 · 2020-03-01T00:15:44.000Z
As `--crate-version` accepts arbitrary strings they need to be escaped.
diff --git a/src/librustdoc/html/render.rs b/src/librustdoc/html/render.rs
@@ -1313,7 +1313,8 @@ impl Context {
                          <p>Version {}</p>\
                      </div>\
                      <a id='all-types' href='index.html'><p>Back to index</p></a>",
-                crate_name, version
+                crate_name,
+                Escape(version),
             )
         } else {
             String::new()
@@ -3974,7 +3975,7 @@ fn print_sidebar(cx: &Context, it: &clean::Item, buffer: &mut Buffer) {
                 "<div class='block version'>\
                     <p>Version {}</p>\
                     </div>",
-                version
+                Escape(version)
             );
         }
     }
diff --git a/src/test/rustdoc/crate-version-escape.rs b/src/test/rustdoc/crate-version-escape.rs
@@ -0,0 +1,6 @@
+// compile-flags: --crate-version=<script>alert("hi")</script> -Z unstable-options
+
+#![crate_name = "foo"]
+
+// @has 'foo/index.html' '//div[@class="block version"]/p' 'Version <script>alert("hi")</script>'
+// @has 'foo/all.html' '//div[@class="block version"]/p' 'Version <script>alert("hi")</script>'

Original file line number	Diff line number	Diff line change
`@@ -1313,7 +1313,8 @@ impl Context {`
`1313`	`1313`	`<p>Version {}</p>\`
`1314`	`1314`	`</div>\`
`1315`	`1315`	`<a id='all-types' href='index.html'><p>Back to index</p></a>",`
`1316`		`- crate_name, version`
	`1316`	`+ crate_name,`
	`1317`	`+ Escape(version),`
`1317`	`1318`	`)`
`1318`	`1319`	`} else {`
`1319`	`1320`	`String::new()`
`@@ -3974,7 +3975,7 @@ fn print_sidebar(cx: &Context, it: &clean::Item, buffer: &mut Buffer) {`
`3974`	`3975`	`"<div class='block version'>\`
`3975`	`3976`	`<p>Version {}</p>\`
`3976`	`3977`	`</div>",`
`3977`		`- version`
	`3978`	`+ Escape(version)`
`3978`	`3979`	`);`
`3979`	`3980`	`}`
`3980`	`3981`	`}`