diff --git a/Changelog.md b/Changelog.md index 9a2b9a8bc..754f3c230 100644 --- a/Changelog.md +++ b/Changelog.md @@ -60,6 +60,10 @@ The default for including jQuery from a CDN has changed. If you want to continue * Increase possible captcha length [#5169](https://github.com/diaspora/diaspora/pull/5169) * Display visibility icon in publisher aspects dropdown [#4982](https://github.com/diaspora/diaspora/pull/4982) +# 0.4.1.1 + +* Fix XSS issue in poll questions [#5274](https://github.com/diaspora/diaspora/issues/5274) + # 0.4.1.0 ## New 'Terms of Service' feature and template diff --git a/app/assets/templates/poll_tpl.jst.hbs b/app/assets/templates/poll_tpl.jst.hbs index 20def69b1..f9aad7f18 100644 --- a/app/assets/templates/poll_tpl.jst.hbs +++ b/app/assets/templates/poll_tpl.jst.hbs @@ -1,7 +1,7 @@ {{#if poll}}
- {{{poll.question}}} + {{poll.question}}
{{t "poll.count" count=poll.participation_count}}
@@ -12,13 +12,13 @@ {{#poll.poll_answers}} + {{/poll.poll_answers}}
{{t "poll.show_result"}} diff --git a/spec/javascripts/app/views/poll_view_spec.js b/spec/javascripts/app/views/poll_view_spec.js index ee5143165..04124467c 100644 --- a/spec/javascripts/app/views/poll_view_spec.js +++ b/spec/javascripts/app/views/poll_view_spec.js @@ -35,6 +35,15 @@ describe("app.views.Poll", function(){ }) }); + describe("render", function() { + it("escapes the poll question", function() { + var question = ""; + this.view.poll.question = question; + this.view.render(); + expect(this.view.$('.poll_head strong').text()).toBe(question); + }); + }); + describe("vote form", function(){ it('show vote form when user is logged in and not voted before', function(){ expect(this.view.$('form').length).toBe(1);