Merge branch 'hotfix/0.0.3.2'

2013-02-26 19:06:40 +01:00 · 2013-02-26 19:06:40 +01:00 · 3e32472dbb
commit 3e32472dbb
parent 4a92508281 d6ff67fde2
4 changed files with 14 additions and 2 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -1,3 +1,7 @@
+# 0.0.3.2
+
+* Fix XSS vulnerability in conversations#new [#4010](https://github.com/diaspora/diaspora/issues/4010)
+
 # 0.0.3.1

 * exec foreman in ./script/server to replace the process so that we can Ctrl+C it again.
--- a/app/views/conversations/new.haml
+++ b/app/views/conversations/new.haml
@ -20,7 +20,7 @@
      keyDelay: 0,
      startText: '',
      emptyText: '#{t('no_results')}',
-      preFill: [{name : "#{params[:name]}",
+      preFill: [{name : "#{h params[:name]}",
                 value : "#{@contact_ids}"}]
      });
    autocompleteInput.focus();
--- a/config/defaults.yml
+++ b/config/defaults.yml
@ -4,7 +4,7 @@

 defaults:
  version:
-    number: "0.0.3.1"
+    number: "0.0.3.2"
  heroku: false
  environment:
    url: "http://localhost:3000/"
--- a/spec/controllers/conversations_controller_spec.rb
+++ b/spec/controllers/conversations_controller_spec.rb
@ -33,6 +33,14 @@ describe ConversationsController do
      get :new, :aspect_id => alice.aspects.first.id
      assigns(:contact_ids).should == alice.aspects.first.contacts.map(&:id).join(',')
    end
+
+    it "does not allow XSS via the name parameter" do
+      ["</script><script>alert(1);</script>",
+       '"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss|
+        get :new, name: xss
+        response.body.should_not include xss
+      end
+    end
  end

  describe '#index' do