From d32e6702172160d3becfa10005f2c415a472b937 Mon Sep 17 00:00:00 2001
From: takahashim <maki@rubycolor.org>
Date: Sat, 29 Aug 2020 16:13:05 +0900
Subject: [PATCH 1/2] do not allow tricky id used as path; fix #1393

path characters: `A-Z` + `a-z` + `0-9` + `_:=+-()|`
---
 lib/review/book/index/item.rb | 11 ++++++++++-
 test/test_htmlbuilder.rb      | 23 ++++++++---------------
 2 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/lib/review/book/index/item.rb b/lib/review/book/index/item.rb
index f2edece56..b2cf1b1a2 100644
--- a/lib/review/book/index/item.rb
+++ b/lib/review/book/index/item.rb
@@ -32,7 +32,16 @@ def initialize(id, number, caption = nil)
         alias_method :content, :caption
 
         def path
-          @path ||= @index.find_path(id)
+          if @path
+            return @path
+          end
+
+          unless @id =~ /\A[A-Za-z0-9_:=+\-()|]+\z/
+            raise ReVIEW::SyntaxError, "invalid ID character for path: `#{@id}`"
+          end
+          @path = @index.find_path(@id)
+
+          @path
         end
       end
     end
diff --git a/test/test_htmlbuilder.rb b/test/test_htmlbuilder.rb
index 2562ac6f0..faba6d52b 100644
--- a/test/test_htmlbuilder.rb
+++ b/test/test_htmlbuilder.rb
@@ -665,23 +665,16 @@ def @chapter.image(_id)
     assert_equal expected, actual
   end
 
-  def test_image_with_tricky_id
-    def @chapter.image(_id)
-      item = Book::Index::Item.new('123 あ_;', 1)
-      item.instance_eval { @path = './images/chap1-123 あ_;.png' }
-      item
+  def test_image_with_tricky_id_kana
+    assert_raise(ReVIEW::SyntaxError) do
+      _result = compile_block("//image[123あいう][sample photo]{\n//}\n")
     end
+  end
 
-    actual = compile_block("//image[123 あ_;][sample photo]{\n//}\n")
-    expected = <<-EOS
-<div id="id_123-_E3_81_82___3B" class="image">
-<img src="images/chap1-123 あ_;.png" alt="sample photo" />
-<p class="caption">
-図1.1: sample photo
-</p>
-</div>
-EOS
-    assert_equal expected, actual
+  def test_image_with_tricky_id_space
+    assert_raise(ReVIEW::SyntaxError) do
+      _result = compile_block("//image[123 abc][sample photo]{\n//}\n")
+    end
   end
 
   def test_indepimage

From f27b4d32085896a6914d547d9c230cb21fb895da Mon Sep 17 00:00:00 2001
From: takahashim <maki@rubycolor.org>
Date: Sat, 29 Aug 2020 18:12:06 +0900
Subject: [PATCH 2/2] ID checking should be only against spaces

---
 lib/review/book/index/item.rb |  2 +-
 test/test_htmlbuilder.rb      | 18 ++++++++++++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/lib/review/book/index/item.rb b/lib/review/book/index/item.rb
index b2cf1b1a2..d9458e68c 100644
--- a/lib/review/book/index/item.rb
+++ b/lib/review/book/index/item.rb
@@ -36,7 +36,7 @@ def path
             return @path
           end
 
-          unless @id =~ /\A[A-Za-z0-9_:=+\-()|]+\z/
+          if @id =~ /\s/
             raise ReVIEW::SyntaxError, "invalid ID character for path: `#{@id}`"
           end
           @path = @index.find_path(@id)
diff --git a/test/test_htmlbuilder.rb b/test/test_htmlbuilder.rb
index faba6d52b..aa9782c05 100644
--- a/test/test_htmlbuilder.rb
+++ b/test/test_htmlbuilder.rb
@@ -666,9 +666,23 @@ def @chapter.image(_id)
   end
 
   def test_image_with_tricky_id_kana
-    assert_raise(ReVIEW::SyntaxError) do
-      _result = compile_block("//image[123あいう][sample photo]{\n//}\n")
+    def @chapter.image(_id)
+      item = Book::Index::Item.new('123あいう', 1)
+      item.instance_eval { @path = './images/123あいう.png' }
+      item
     end
+    @chapter.instance_eval { @name = 'ch01' }
+    actual = compile_block("//image[123あいう][sample photo]{\n//}\nimg: @<img>{123あいう}\n")
+    expected = <<-EOS
+<div id="id_123_E3_81_82_E3_81_84_E3_81_86" class="image">
+<img src="images/123あいう.png" alt="sample photo" />
+<p class="caption">
+図1.1: sample photo
+</p>
+</div>
+<p>img: <span class="imgref"><a href="./ch01.html#id_123_E3_81_82_E3_81_84_E3_81_86">図1.1</a></span></p>
+EOS
+    assert_equal expected, actual
   end
 
   def test_image_with_tricky_id_space