From fc84a4e989d3ced1c7dd410694591519960ce9bd Mon Sep 17 00:00:00 2001
From: rick <technoweenie@gmail.com>
Date: Tue, 11 Jan 2011 00:30:22 -0800
Subject: [PATCH] add proper shell escaping for Albino

---
 lib/gollum/albino.rb | 13 +++++++++++++
 test/test_markup.rb  | 12 ++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/lib/gollum/albino.rb b/lib/gollum/albino.rb
index c3a18a27..03725e47 100644
--- a/lib/gollum/albino.rb
+++ b/lib/gollum/albino.rb
@@ -14,4 +14,17 @@ class Gollum::Albino < Albino
     html.sub!(%r{</pre></div>\Z}, "</pre>\n</div>")
     html
   end
+
+  # Hotfix for vulnerable versions of Albino
+  if !instance_methods.include?('shell_escape')
+    def convert_options(options = {})
+      @options.merge(options).inject('') do |string, (flag, value)|
+        string + " -#{flag} #{shell_escape value}"
+      end
+    end
+
+    def shell_escape(str)
+      str.to_s.gsub("'", "\\\\'").gsub(";", '\\;')
+    end
+  end
 end
\ No newline at end of file
diff --git a/test/test_markup.rb b/test/test_markup.rb
index 4a7b54c3..3b9ecb91 100644
--- a/test/test_markup.rb
+++ b/test/test_markup.rb
@@ -353,6 +353,18 @@ context "Markup" do
     compare(content, output)
   end
 
+  test "code block with invalid lang" do
+    content = "a\n\n``` ls -al;\n\tbooya\n\tboom\n```\n\nb"
+    output = "<p>a</p>\n\n\n\n<p>b</p>"
+    compare(content, output)
+  end
+
+  test "code block with no lang" do
+    content = "a\n\n```\n\tls -al;\n\tbooya\n```\n\nb"
+    output = "<p>a</p>\n\n\n\n<p>b</p>"
+    compare(content, output)
+  end
+
   #########################################################################
   #
   # Various