From 84483d63828d0cb2efbf5bd786a2f0d22e34c93d Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Sat, 7 Feb 2026 10:38:27 +0000
Subject: [PATCH] Stop traversal of child elements at @Loofah::Scrubber::STOP@
 signal (#42737).

Patch by Takashi Kato (user:tohosaku).


git-svn-id: https://svn.redmine.org/redmine/trunk@24400 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 .../wiki_formatting/common_mark/formatter.rb      |  7 +++++--
 .../common_mark/syntax_highlight_scrubber.rb      |  1 +
 lib/redmine/wiki_formatting/html_sanitizer.rb     |  5 ++++-
 lib/redmine/wiki_formatting/textile/formatter.rb  |  9 ++++++---
 .../textile/syntax_highlight_scrubber.rb          |  1 +
 test/helpers/application_helper_test.rb           | 15 +++++++++++++++
 6 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/lib/redmine/wiki_formatting/common_mark/formatter.rb b/lib/redmine/wiki_formatting/common_mark/formatter.rb
index 816fc4395..668537190 100644
--- a/lib/redmine/wiki_formatting/common_mark/formatter.rb
+++ b/lib/redmine/wiki_formatting/common_mark/formatter.rb
@@ -54,9 +54,9 @@ module Redmine
 
       SANITIZER = SanitizationFilter.new
       SCRUBBERS = [
+        Redmine::WikiFormatting::CopypreScrubber.new,
         SyntaxHighlightScrubber.new,
         Redmine::WikiFormatting::TablesortScrubber.new,
-        Redmine::WikiFormatting::CopypreScrubber.new,
         FixupAutoLinksScrubber.new,
         ExternalLinksScrubber.new,
         AlertsIconsScrubber.new
@@ -73,12 +73,15 @@ module Redmine
           html = MarkdownFilter.new(@text, PIPELINE_CONFIG).call
           fragment = Redmine::WikiFormatting::HtmlParser.parse(html)
           SANITIZER.call(fragment)
+
           scrubber = Loofah::Scrubber.new do |node|
             SCRUBBERS.each do |s|
-              s.scrub(node)
+              result = s.scrub(node)
+              break result if result == Loofah::Scrubber::STOP
               break if node.parent.nil?
             end
           end
+
           fragment.scrub!(scrubber)
           fragment.to_s
         end
diff --git a/lib/redmine/wiki_formatting/common_mark/syntax_highlight_scrubber.rb b/lib/redmine/wiki_formatting/common_mark/syntax_highlight_scrubber.rb
index f727bacd4..5a93f0df7 100644
--- a/lib/redmine/wiki_formatting/common_mark/syntax_highlight_scrubber.rb
+++ b/lib/redmine/wiki_formatting/common_mark/syntax_highlight_scrubber.rb
@@ -35,6 +35,7 @@ module Redmine
           lang = $1
           text = node.inner_text
           process node, text, lang
+          Loofah::Scrubber::STOP
         end
       end
     end
diff --git a/lib/redmine/wiki_formatting/html_sanitizer.rb b/lib/redmine/wiki_formatting/html_sanitizer.rb
index e512d7788..64c6b9566 100644
--- a/lib/redmine/wiki_formatting/html_sanitizer.rb
+++ b/lib/redmine/wiki_formatting/html_sanitizer.rb
@@ -27,12 +27,15 @@ module Redmine
       def self.call(html)
         fragment = HtmlParser.parse(html)
         SANITIZER.call(fragment)
+
         scrubber = Loofah::Scrubber.new do |node|
           SCRUBBERS.each do |s|
-            s.scrub(node)
+            result = s.scrub(node)
+            break result if result == Loofah::Scrubber::STOP
             break if node.parent.nil?
           end
         end
+
         fragment.scrub!(scrubber)
         fragment.to_s
       end
diff --git a/lib/redmine/wiki_formatting/textile/formatter.rb b/lib/redmine/wiki_formatting/textile/formatter.rb
index 39f9fd15e..af1def1be 100644
--- a/lib/redmine/wiki_formatting/textile/formatter.rb
+++ b/lib/redmine/wiki_formatting/textile/formatter.rb
@@ -21,9 +21,9 @@ module Redmine
   module WikiFormatting
     module Textile
       SCRUBBERS = [
+        Redmine::WikiFormatting::CopypreScrubber.new,
         SyntaxHighlightScrubber.new,
-        Redmine::WikiFormatting::TablesortScrubber.new,
-        Redmine::WikiFormatting::CopypreScrubber.new
+        Redmine::WikiFormatting::TablesortScrubber.new
       ]
 
       class Formatter
@@ -39,12 +39,15 @@ module Redmine
         def to_html(*rules)
           html = @filter.to_html(rules)
           fragment = Loofah.html5_fragment(html)
+
           scrubber = Loofah::Scrubber.new do |node|
             SCRUBBERS.each do |s|
-              s.scrub(node)
+              result = s.scrub(node)
+              break result if result == Loofah::Scrubber::STOP
               break if node.parent.nil?
             end
           end
+
           fragment.scrub!(scrubber)
           fragment.to_s
         end
diff --git a/lib/redmine/wiki_formatting/textile/syntax_highlight_scrubber.rb b/lib/redmine/wiki_formatting/textile/syntax_highlight_scrubber.rb
index d5e976cec..172f97316 100644
--- a/lib/redmine/wiki_formatting/textile/syntax_highlight_scrubber.rb
+++ b/lib/redmine/wiki_formatting/textile/syntax_highlight_scrubber.rb
@@ -34,6 +34,7 @@ module Redmine
           end
 
           process node, text, lang
+          Loofah::Scrubber::STOP
         end
       end
     end
diff --git a/test/helpers/application_helper_test.rb b/test/helpers/application_helper_test.rb
index 87b57c7f2..3484c8a72 100644
--- a/test/helpers/application_helper_test.rb
+++ b/test/helpers/application_helper_test.rb
@@ -1447,6 +1447,21 @@ class ApplicationHelperTest < Redmine::HelperTest
     end
   end
 
+  def test_syntax_highlight_common_mark
+    raw = <<~RAW
+      ```ECMA_script
+      /* Hello */
+      document.write("Hello World!");
+      ```
+    RAW
+    expected = <<~EXPECTED
+      #{pre_wrapper('<pre data-clipboard-target="pre"><code class="ECMA_script syntaxhl" data-language="ECMA_script"><span class="cm">/* Hello */</span><span class="nb">document</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="dl">"</span><span class="s2">Hello World!</span><span class="dl">"</span><span class="p">);</span></code></pre>')}
+    EXPECTED
+    with_settings :text_formatting => 'common_mark' do
+      assert_equal expected.gsub(%r{[\r\n\t]}, ''), textilizable(raw).gsub(%r{[\r\n\t]}, '')
+    end
+  end
+
   def test_syntax_highlight_ampersand_in_textile
     raw = <<~RAW
       <pre><code class="ruby">