eliminate eval from Builder#initialize

flavorjones · flavorjones · commit 6777008202c1 · 2019-08-10T18:25:38.000-04:00
which was raised by Rubocop's security filter related to #1915
diff --git a/lib/nokogiri/xml/builder.rb b/lib/nokogiri/xml/builder.rb
@@ -268,10 +268,13 @@ def initialize(options = {}, root = nil, &block)
           @doc = root.document
           @parent = root
         else
-          namespace = self.class.name.split("::")
-          namespace[-1] = "Document"
-          @doc = eval(namespace.join("::")).new
-          @parent = @doc
+          klassname = "::" + (self.class.name.split("::")[0..-2] + ["Document"]).join("::")
+          klass = begin
+                    Object.const_get(klassname)
+                  rescue NameError
+                    Nokogiri::XML::Document
+                  end
+          @parent = @doc = klass.new
         end
 
         @context = nil
diff --git a/test/xml/test_builder.rb b/test/xml/test_builder.rb
@@ -342,6 +342,17 @@ def test_builder_reuses_namespaces
         assert_equal envelope.namespace.object_id, package.namespace.object_id
       end
 
+      def test_builder_uses_proper_document_class
+        xml_builder = Nokogiri::XML::Builder.new
+        assert_instance_of Nokogiri::XML::Document, xml_builder.doc
+
+        html_builder = Nokogiri::HTML::Builder.new
+        assert_instance_of Nokogiri::HTML::Document, html_builder.doc
+
+        foo_builder = ThisIsATestBuilder.new
+        assert_instance_of Nokogiri::XML::Document, foo_builder.doc
+      end
+
       private
 
       def namespaces_defined_on(node)
@@ -350,3 +361,7 @@ def namespaces_defined_on(node)
     end
   end
 end
+
+class ThisIsATestBuilder < Nokogiri::XML::Builder
+  # this exists for the test_builder_uses_proper_document_class and should be empty
+end
