add proper shell escaping for Albino

lib/gollum/albino.rb

@@ -14,4 +14,17 @@ class Gollum::Albino < Albino
     html.sub!(%r{</pre></div>\Z}, "</pre>\n</div>")
     html
   end
+
+  # Hotfix for vulnerable versions of Albino
+  if !instance_methods.include?('shell_escape')
+    def convert_options(options = {})
+      @options.merge(options).inject('') do |string, (flag, value)|
+        string + " -#{flag} #{shell_escape value}"
+      end
+    end
+
+    def shell_escape(str)
+      str.to_s.gsub("'", "\\\\'").gsub(";", '\\;')
+    end
+  end
 end

test/test_markup.rb

@@ -353,6 +353,18 @@ context "Markup" do
     compare(content, output)
   end
 
+  test "code block with invalid lang" do
+    content = "a\n\n``` ls -al;\n\tbooya\n\tboom\n```\n\nb"
+    output = "<p>a</p>\n\n\n\n<p>b</p>"
+    compare(content, output)
+  end
+
+  test "code block with no lang" do
+    content = "a\n\n```\n\tls -al;\n\tbooya\n```\n\nb"
+    output = "<p>a</p>\n\n\n\n<p>b</p>"
+    compare(content, output)
+  end
+
   #########################################################################
   #
   # Various