From d9746a8461caf7212c41acd99d2f86f09a107f0c Mon Sep 17 00:00:00 2001
From: Steffen van Bergerem <svbergerem@online.de>
Date: Wed, 10 Aug 2016 17:19:58 +0200
Subject: [PATCH 1/2] Escape HTML in mentions box

---
 app/assets/javascripts/app/views/publisher/mention_view.js | 2 +-
 features/desktop/posts_from_main_page.feature              | 6 ++++++
 spec/javascripts/app/views/publisher_mention_view_spec.js  | 7 +++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/app/views/publisher/mention_view.js b/app/assets/javascripts/app/views/publisher/mention_view.js
index 2a1c65591..b8f6143f5 100644
--- a/app/assets/javascripts/app/views/publisher/mention_view.js
+++ b/app/assets/javascripts/app/views/publisher/mention_view.js
@@ -91,7 +91,7 @@ app.views.PublisherMention = app.views.SearchBase.extend({
    */
   updateMessageTexts: function() {
     var fakeMessageText = this.inputBox.val(),
-        mentionBoxText = fakeMessageText,
+        mentionBoxText = _.escape(fakeMessageText),
         messageText = fakeMessageText;
 
     this.mentionedPeople.forEach(function(person) {
diff --git a/features/desktop/posts_from_main_page.feature b/features/desktop/posts_from_main_page.feature
index b81786b53..1c51665da 100644
--- a/features/desktop/posts_from_main_page.feature
+++ b/features/desktop/posts_from_main_page.feature
@@ -196,6 +196,12 @@ Feature: posting from the main page
       And I select only "NotPostingThingsHere" aspect
       Then I should not see "I am eating a yogurt" and "And cornflakes also"
 
+    Scenario: Write html in the publisher
+      When I expand the publisher
+      Then I should not see any alert after I write the status message "<script>alert();</script>"
+      When I submit the publisher
+      Then "<script>alert();</script>" should be post 1
+
     # (NOTE) make this a jasmine spec
     Scenario: reject deletion one of my posts
       When I expand the publisher
diff --git a/spec/javascripts/app/views/publisher_mention_view_spec.js b/spec/javascripts/app/views/publisher_mention_view_spec.js
index a28a393e7..436e5e674 100644
--- a/spec/javascripts/app/views/publisher_mention_view_spec.js
+++ b/spec/javascripts/app/views/publisher_mention_view_spec.js
@@ -197,6 +197,13 @@ describe("app.views.PublisherMention", function() {
       expect(this.view.mentionsBox.find(".mentions").html())
         .toBe("@user1 Text before <strong><span>user1</span></strong>\ntext after");
     });
+
+    it("properly escapes the user input", function() {
+      this.view.inputBox.val("<img src=\"/default.png\"> @user1 Text before \u200Buser1\ntext after");
+      this.view.updateMessageTexts();
+      expect(this.view.mentionsBox.find(".mentions").html())
+        .toBe("&lt;img src=\"/default.png\"&gt; @user1 Text before <strong><span>user1</span></strong>\ntext after");
+    });
   });
 
   describe("updateTypeaheadInput", function() {

From 0a8573e00b03694cc56d3ab0c0d6812f50e6b2ad Mon Sep 17 00:00:00 2001
From: Steffen van Bergerem <svbergerem@online.de>
Date: Wed, 10 Aug 2016 17:21:10 +0200
Subject: [PATCH 2/2] Add cuke for #6953

---
 features/desktop/mentions.feature          | 25 ++++++++++++++++++++++
 features/step_definitions/mention_steps.rb |  4 ++++
 2 files changed, 29 insertions(+)

diff --git a/features/desktop/mentions.feature b/features/desktop/mentions.feature
index d16a5ee77..9c613bcf6 100644
--- a/features/desktop/mentions.feature
+++ b/features/desktop/mentions.feature
@@ -29,3 +29,28 @@ Feature: Mentions
     Then I should see "Bob Jones" within ".stream_element"
     When I follow "Bob Jones"
     Then I should see "Bob Jones"
+
+  Scenario: A user tries to mention another user multiple times
+    Given following users exist:
+      | username     | email             |
+      | Bob Jones    | bob@bob.bob       |
+      | Alice Smith  | alice@alice.alice |
+    And a user with email "bob@bob.bob" is connected with "alice@alice.alice"
+    When I sign in as "alice@alice.alice"
+    And I expand the publisher
+    And I append "@Bob" to the publisher
+    Then I should see "Bob Jones" within ".tt-suggestion"
+    When I click on the first user in the mentions dropdown list
+    When I press the "A" key in the publisher
+    And I append "@Bob" to the publisher
+    Then I should not see the mentions dropdown list
+    When I press "Share"
+    Then I should see "Bob Jones" within ".stream_element"
+
+    When I expand the publisher
+    And I append "@Bob" to the publisher
+    And I click on the first user in the mentions dropdown list
+    And I press "Share"
+    Then I should see "Bob Jones" within ".stream_element"
+    When I follow "Bob Jones"
+    Then I should see "Bob Jones"
diff --git a/features/step_definitions/mention_steps.rb b/features/step_definitions/mention_steps.rb
index e382baba6..7f2ce1256 100644
--- a/features/step_definitions/mention_steps.rb
+++ b/features/step_definitions/mention_steps.rb
@@ -22,3 +22,7 @@ end
 And /^I click on the first user in the mentions dropdown list$/ do
   find(".tt-menu .tt-suggestion", match: :first).click
 end
+
+Then /^I should not see the mentions dropdown list$/ do
+  expect(page).to have_no_css ".tt-menu"
+end