escape.c: Preserve original state

* ext/cgi/escape/escape.c (preserve_original_state): Preserve
  original state for tainted and frozen.  [Fix GH-1166]
  [ruby-dev:49451] [Bug #11855]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53233 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,9 @@
+Tue Dec 22 05:39:58 2015  Takashi Kokubun  <takashikkbn@gmail.com>
+
+	* ext/cgi/escape/escape.c (preserve_original_state): Preserve
+	  original state for tainted and frozen.  [Fix GH-1166]
+	  [ruby-dev:49451] [Bug #11855]
+
 Tue Dec 22 03:57:20 2015  Eric Wong  <e@80x24.org>
 
 	* ext/socket/init.c (rsock_init_sock): check FD after validating

ext/cgi/escape/escape.c

@@ -25,6 +25,14 @@ html_escaped_cat(VALUE str, char c)
     }
 }
 
+static inline void
+preserve_original_state(VALUE orig, VALUE dest)
+{
+    rb_enc_associate(dest, rb_enc_get(orig));
+
+    FL_SET_RAW(dest, FL_TEST_RAW(orig, FL_FREEZE|FL_TAINT));
+}
+
 static VALUE
 optimized_escape_html(VALUE str)
 {
@@ -57,7 +65,7 @@ optimized_escape_html(VALUE str)
 
     if (modified) {
 	rb_str_cat(dest, cstr + beg, len - beg);
-	rb_enc_associate(dest, rb_enc_get(str));
+	preserve_original_state(str, dest);
 	return dest;
     }
     else {

test/cgi/test_cgi_util.rb

@@ -68,6 +68,16 @@ class CGIUtilTest < Test::Unit::TestCase
     assert_equal(Encoding::UTF_8, CGI::escapeHTML("'&\"><".force_encoding("UTF-8")).encoding)
   end
 
+  def test_cgi_escape_html_preserve_tainted
+    assert_equal(false, CGI::escapeHTML("'&\"><").tainted?)
+    assert_equal(true, CGI::escapeHTML("'&\"><".taint).tainted?)
+  end
+
+  def test_cgi_escape_html_preserve_frozen
+    assert_equal(false, CGI::escapeHTML("'&\"><".dup).frozen?)
+    assert_equal(true, CGI::escapeHTML("'&\"><".freeze).frozen?)
+  end
+
   def test_cgi_unescapeHTML
     assert_equal("'&\"><", CGI::unescapeHTML("&#39;&amp;&quot;&gt;&lt;"))
   end