resolves #2112 sanitize content of authors meta tag in HTML output (PR #2181)

- sanitize content of authors meta tag in HTML output
- sanitize value of author and authors attribute before partitioning
- consolidate author metadata assignment
- add tests

4 files changed, 39 insertions, 10 deletions

diff --git a/lib/asciidoctor/converter/html5.rb b/lib/asciidoctor/converter/html5.rb
index 56575b8f..075736bb 100644
--- a/lib/asciidoctor/converter/html5.rb
+++ b/lib/asciidoctor/converter/html5.rb
@@ -49,7 +49,7 @@ module Asciidoctor
       result << %(<meta name="application-name" content="#{node.attr 'app-name'}"#{slash}>) if node.attr? 'app-name'
       result << %(<meta name="description" content="#{node.attr 'description'}"#{slash}>) if node.attr? 'description'
       result << %(<meta name="keywords" content="#{node.attr 'keywords'}"#{slash}>) if node.attr? 'keywords'
-      result << %(<meta name="author" content="#{node.attr 'authors'}"#{slash}>) if node.attr? 'authors'
+      result << %(<meta name="author" content="#{((authors = node.attr 'authors').include? '<') ? (authors.gsub XmlSanitizeRx, '') : authors}"#{slash}>) if node.attr? 'authors'
       result << %(<meta name="copyright" content="#{node.attr 'copyright'}"#{slash}>) if node.attr? 'copyright'
       result << %(<title>#{node.doctitle :sanitize => true, :use_fallback => true}</title>)
 
diff --git a/lib/asciidoctor/parser.rb b/lib/asciidoctor/parser.rb
index f82ea510..f70444c5 100644
--- a/lib/asciidoctor/parser.rb
+++ b/lib/asciidoctor/parser.rb
@@ -1913,7 +1913,7 @@ class Parser
   #                semicolon-separated entries in the author line (default: true)
   #
   # returns a Hash of author metadata
-  def self.process_authors(author_line, names_only = false, multiple = true)
+  def self.process_authors author_line, names_only = false, multiple = true
     author_metadata = {}
     keys = ['author', 'authorinitials', 'firstname', 'middlename', 'lastname', 'email']
     author_entries = multiple ? (author_line.split ';').map {|it| it.strip } : Array(author_line)
@@ -1931,32 +1931,36 @@ class Parser
       end
 
       segments = nil
-      if names_only
-        # NOTE split names and collapse repeating whitespace
+      if names_only # when parsing an attribute value
+        # QUESTION should we rstrip author_entry?
+        if author_entry.include? '<'
+          author_metadata[key_map[:author]] = author_entry.tr('_', ' ')
+          author_entry = author_entry.gsub XmlSanitizeRx, ''
+        end
+        # NOTE split names and collapse repeating whitespace (split drops any leading whitespace)
         if (segments = author_entry.split nil, 3).size == 3
           segments << (segments.pop.squeeze ' ')
         end
       elsif (match = AuthorInfoLineRx.match(author_entry))
-        segments = match.to_a
-        segments.shift
+        (segments = match.to_a).shift
       end
 
       if segments
-        author_metadata[key_map[:firstname]] = fname = segments[0].tr('_', ' ')
-        author_metadata[key_map[:author]] = fname
+        author = author_metadata[key_map[:firstname]] = fname = segments[0].tr('_', ' ')
         author_metadata[key_map[:authorinitials]] = fname.chr
         if segments[1]
           if segments[2]
             author_metadata[key_map[:middlename]] = mname = segments[1].tr('_', ' ')
             author_metadata[key_map[:lastname]] = lname = segments[2].tr('_', ' ')
-            author_metadata[key_map[:author]] = [fname, mname, lname].join ' '
+            author = fname + ' ' + mname + ' ' + lname
             author_metadata[key_map[:authorinitials]] = %(#{fname.chr}#{mname.chr}#{lname.chr})
           else
             author_metadata[key_map[:lastname]] = lname = segments[1].tr('_', ' ')
-            author_metadata[key_map[:author]] = [fname, lname].join ' '
+            author = fname + ' ' + lname
             author_metadata[key_map[:authorinitials]] = %(#{fname.chr}#{lname.chr})
           end
         end
+        author_metadata[key_map[:author]] ||= author
         author_metadata[key_map[:email]] = segments[3] unless names_only || !segments[3]
       else
         author_metadata[key_map[:author]] = author_metadata[key_map[:firstname]] = fname = author_entry.squeeze(' ').strip
diff --git a/test/document_test.rb b/test/document_test.rb
index 0ba136dc..4317cd7d 100644
--- a/test/document_test.rb
+++ b/test/document_test.rb
@@ -1494,6 +1494,18 @@ content
       assert_xpath '//articleinfo/authorinitials[text() = "DW"]', output, 1
     end
 
+    test 'should sanitize content of HTML meta authors tag' do
+      input = <<-EOS
+= Document Title
+:author: pass:n[http://example.org/community/team.html[Ze *Product* team]]
+
+content
+      EOS
+
+      output = render_string input
+      assert_xpath '//meta[@name="author"][@content="Ze Product team"]', output, 1
+    end
+
     test 'should include multiple authors in HTML output' do
       input = <<-EOS
 = Document Title
diff --git a/test/parser_test.rb b/test/parser_test.rb
index 89108043..fecf5436 100644
--- a/test/parser_test.rb
+++ b/test/parser_test.rb
@@ -492,6 +492,19 @@ Kismet Chameleon; Johnny Bravo; Lazarus het_Draeke
     assert_equal 'het Draeke', doc.attributes['lastname_3']
   end
 
+  test 'removes formatting before partitioning author defined using author attribute' do
+    input = <<-EOS
+:author: pass:n[http://example.org/community/team.html[Ze_**Project** team]]
+    EOS
+
+    doc = empty_document
+    parse_header_metadata input, doc
+    assert_equal 1, doc.attributes['authorcount']
+    assert_equal '<a href="http://example.org/community/team.html">Ze <strong>Project</strong> team</a>', doc.attributes['authors']
+    assert_equal 'Ze Project', doc.attributes['firstname']
+    assert_equal 'team', doc.attributes['lastname']
+  end
+
   test "parse rev number date remark" do
     input = <<-EOS
 Ryan Waldron