From 6777008202c1bde0520bb09fd1f02dee64dbcb60 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Sat, 20 Jul 2019 17:12:17 -0400 Subject: [PATCH] eliminate `eval` from Builder#initialize which was raised by Rubocop's security filter related to #1915 --- lib/nokogiri/xml/builder.rb | 11 +++++++---- test/xml/test_builder.rb | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/lib/nokogiri/xml/builder.rb b/lib/nokogiri/xml/builder.rb index 38d7ac19af..749140ea28 100644 --- a/lib/nokogiri/xml/builder.rb +++ b/lib/nokogiri/xml/builder.rb @@ -268,10 +268,13 @@ def initialize(options = {}, root = nil, &block) @doc = root.document @parent = root else - namespace = self.class.name.split("::") - namespace[-1] = "Document" - @doc = eval(namespace.join("::")).new - @parent = @doc + klassname = "::" + (self.class.name.split("::")[0..-2] + ["Document"]).join("::") + klass = begin + Object.const_get(klassname) + rescue NameError + Nokogiri::XML::Document + end + @parent = @doc = klass.new end @context = nil diff --git a/test/xml/test_builder.rb b/test/xml/test_builder.rb index 1b5e2c9bed..aaa18ecb9d 100644 --- a/test/xml/test_builder.rb +++ b/test/xml/test_builder.rb @@ -342,6 +342,17 @@ def test_builder_reuses_namespaces assert_equal envelope.namespace.object_id, package.namespace.object_id end + def test_builder_uses_proper_document_class + xml_builder = Nokogiri::XML::Builder.new + assert_instance_of Nokogiri::XML::Document, xml_builder.doc + + html_builder = Nokogiri::HTML::Builder.new + assert_instance_of Nokogiri::HTML::Document, html_builder.doc + + foo_builder = ThisIsATestBuilder.new + assert_instance_of Nokogiri::XML::Document, foo_builder.doc + end + private def namespaces_defined_on(node) @@ -350,3 +361,7 @@ def namespaces_defined_on(node) end end end + +class ThisIsATestBuilder < Nokogiri::XML::Builder + # this exists for the test_builder_uses_proper_document_class and should be empty +end