/foo.rb

## foo.rb
irb(main):061:0> bar
=> "var functionMap = {\n\t'addFilter':{'ret':'none', 'args':[{'type':'function'}]},\n\t'add':{'ret':'none', 'args':[{'type':'element'}]},\n\t'addTextTrack':{'ret':'none', 'args':[{'choice':['subtitles', 'captions', 'descriptions', 'chapters', 'metadata']}]},\n\t'appendChild':{'ret':'none', 'args':[{'type':'element'}]},\n\t'applyElement':{'ret':'none', 'args':[{'type':'element'}, {'choice':['inside', 'outside']}]},\n\t'blur':{'ret':'none', 'args':[{'type':'none'}]},\n\t'canPlayType':{'ret':'none', 'args':[{'choice':['video/mp4; codecs=\\'avc1.42E01E\\'', 'video/ogg; codecs=\\'theora\\'']}]},\n\t'checkValidity':{'ret':'none', 'args':[{'type':'none'}]},\n"
irb(main):062:0> foo
=> "<?xml version=\"1.0\"?>\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1 plus MathML 2.0//EN\" \"http://www.w3.org/TR/MathML2/dtd/xhtml-math11-f.dtd\" [\r\n  <!ENTITY mathml \"http://www.w3.org/1998/Math/MathML\">\r\n]>\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n<head>\r\n<title>Testcase bug - Evil mrow:hover testcase crashes Mozilla</title>\r\n<style type=\"text/css\">\r\n#h:hover{display:block;}\r\n</style>\r\n</head>\r\n<body onload=\"document.getElementById('mrow').setAttribute('id', 'h');\">\r\n<math mode=\"display\" xmlns=\"http://www.w3.org/1998/Math/MathML\">\r\n<mover>\r\n  <mrow id=\"mrow\">hovering over this should not crash Mozilla</mrow>\r\n  <mover>\r\n    <mo>10</mo>\r\n    <mrow>times</mrow>\r\n  </mover>\r\n</mover>\r\n</math>\r\n</body>\r\n</html>\r\n"
irb(main):063:0> print foo.sub(/<head>/m, "\0\n<script type='text/javascript'>" + "123\\'asdasd" + "</script>")
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus MathML 2.0//EN" "http://www.w3.org/TR/MathML2/dtd/xhtml-math11-f.dtd" [
  <!ENTITY mathml "http://www.w3.org/1998/Math/MathML">
]>
<html xmlns="http://www.w3.org/1999/xhtml">


<script type='text/javascript'>123
<title>Testcase bug - Evil mrow:hover testcase crashes Mozilla</title>
<style type="text/css">
#h:hover{display:block;}
</style>
</head>
<body onload="document.getElementById('mrow').setAttribute('id', 'h');">
<math mode="display" xmlns="http://www.w3.org/1998/Math/MathML">
<mover>
  <mrow id="mrow">hovering over this should not crash Mozilla</mrow>
  <mover>
    <mo>10</mo>
    <mrow>times</mrow>
  </mover>
</mover>
</math>
</body>
</html>
asdasd</script>
<title>Testcase bug - Evil mrow:hover testcase crashes Mozilla</title>
<style type="text/css">
#h:hover{display:block;}
</style>
</head>
<body onload="document.getElementById('mrow').setAttribute('id', 'h');">
<math mode="display" xmlns="http://www.w3.org/1998/Math/MathML">
<mover>
  <mrow id="mrow">hovering over this should not crash Mozilla</mrow>
  <mover>
    <mo>10</mo>
    <mrow>times</mrow>
  </mover>
</mover>
</math>
</body>
</html>
=> nil
irb(main):064:0>
	irb(main):061:0> bar
	=> "var functionMap = {\n\t'addFilter':{'ret':'none', 'args':[{'type':'function'}]},\n\t'add':{'ret':'none', 'args':[{'type':'element'}]},\n\t'addTextTrack':{'ret':'none', 'args':[{'choice':['subtitles', 'captions', 'descriptions', 'chapters', 'metadata']}]},\n\t'appendChild':{'ret':'none', 'args':[{'type':'element'}]},\n\t'applyElement':{'ret':'none', 'args':[{'type':'element'}, {'choice':['inside', 'outside']}]},\n\t'blur':{'ret':'none', 'args':[{'type':'none'}]},\n\t'canPlayType':{'ret':'none', 'args':[{'choice':['video/mp4; codecs=\\'avc1.42E01E\\'', 'video/ogg; codecs=\\'theora\\'']}]},\n\t'checkValidity':{'ret':'none', 'args':[{'type':'none'}]},\n"
	irb(main):062:0> foo
	=> "<?xml version=\"1.0\"?>\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1 plus MathML 2.0//EN\" \"http://www.w3.org/TR/MathML2/dtd/xhtml-math11-f.dtd\" [\r\n <!ENTITY mathml \"http://www.w3.org/1998/Math/MathML\">\r\n]>\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n<head>\r\n<title>Testcase bug - Evil mrow:hover testcase crashes Mozilla</title>\r\n<style type=\"text/css\">\r\n#h:hover{display:block;}\r\n</style>\r\n</head>\r\n<body onload=\"document.getElementById('mrow').setAttribute('id', 'h');\">\r\n<math mode=\"display\" xmlns=\"http://www.w3.org/1998/Math/MathML\">\r\n<mover>\r\n <mrow id=\"mrow\">hovering over this should not crash Mozilla</mrow>\r\n <mover>\r\n <mo>10</mo>\r\n <mrow>times</mrow>\r\n </mover>\r\n</mover>\r\n</math>\r\n</body>\r\n</html>\r\n"
	irb(main):063:0> print foo.sub(/<head>/m, "\0\n<script type='text/javascript'>" + "123\\'asdasd" + "</script>")
	<?xml version="1.0"?>
	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus MathML 2.0//EN" "http://www.w3.org/TR/MathML2/dtd/xhtml-math11-f.dtd" [
	<!ENTITY mathml "http://www.w3.org/1998/Math/MathML">
	]>
	<html xmlns="http://www.w3.org/1999/xhtml">


	<script type='text/javascript'>123
	<title>Testcase bug - Evil mrow:hover testcase crashes Mozilla</title>
	<style type="text/css">
	#h:hover{display:block;}
	</style>
	</head>
	<body onload="document.getElementById('mrow').setAttribute('id', 'h');">
	<math mode="display" xmlns="http://www.w3.org/1998/Math/MathML">
	<mover>
	<mrow id="mrow">hovering over this should not crash Mozilla</mrow>
	<mover>
	<mo>10</mo>
	<mrow>times</mrow>
	</mover>
	</mover>
	</math>
	</body>
	</html>
	asdasd</script>
	<title>Testcase bug - Evil mrow:hover testcase crashes Mozilla</title>
	<style type="text/css">
	#h:hover{display:block;}
	</style>
	</head>
	<body onload="document.getElementById('mrow').setAttribute('id', 'h');">
	<math mode="display" xmlns="http://www.w3.org/1998/Math/MathML">
	<mover>
	<mrow id="mrow">hovering over this should not crash Mozilla</mrow>
	<mover>
	<mo>10</mo>
	<mrow>times</mrow>
	</mover>
	</mover>
	</math>
	</body>
	</html>
	=> nil
	irb(main):064:0>