nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'hotfix/0.0.3.2'

Browse source
This commit is contained in:
Jonne Haß 2013-02-26 19:06:40 +01:00
commit 3e32472dbb
4 changed files with 14 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Changelog.md
View file

@ -1,3 +1,7 @@
# 0.0.3.2
* Fix XSS vulnerability in conversations#new [#4010](https://github.com/diaspora/diaspora/issues/4010)
# 0.0.3.1 # 0.0.3.1
* exec foreman in ./script/server to replace the process so that we can Ctrl+C it again. * exec foreman in ./script/server to replace the process so that we can Ctrl+C it again.

2
app/views/conversations/new.haml
View file

@ -20,7 +20,7 @@
keyDelay: 0, keyDelay: 0,
startText: '', startText: '',
emptyText: '#{t('no_results')}', emptyText: '#{t('no_results')}',
preFill: [{name : "#{params[:name]}", preFill: [{name : "#{h params[:name]}",
value : "#{@contact_ids}"}] value : "#{@contact_ids}"}]
}); });
autocompleteInput.focus(); autocompleteInput.focus();

2
config/defaults.yml
View file

@ -4,7 +4,7 @@
defaults: defaults:
version: version:
number: "0.0.3.1" number: "0.0.3.2"
heroku: false heroku: false
environment: environment:
url: "http://localhost:3000/" url: "http://localhost:3000/"

8
spec/controllers/conversations_controller_spec.rb
View file

@ -33,6 +33,14 @@ describe ConversationsController do
get :new, :aspect_id => alice.aspects.first.id get :new, :aspect_id => alice.aspects.first.id
assigns(:contact_ids).should == alice.aspects.first.contacts.map(&:id).join(',') assigns(:contact_ids).should == alice.aspects.first.contacts.map(&:id).join(',')
end end
it "does not allow XSS via the name parameter" do
["</script><script>alert(1);</script>",
'"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss|
get :new, name: xss
response.body.should_not include xss
end
end
end end
describe '#index' do describe '#index' do