nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Escape person name in contacts json

Browse source 
jQuery autoSuggest uses .html to insert it into the DOM
This commit is contained in:
Jonne Haß 2014-08-30 20:04:36 +02:00
parent 5a4697e254
commit 5d549f553b
3 changed files with 20 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Changelog.md
View file

@ -22,6 +22,7 @@
* Set mention notification as read when viewing post [#5006](https://github.com/diaspora/diaspora/pull/5006) * Set mention notification as read when viewing post [#5006](https://github.com/diaspora/diaspora/pull/5006)
* Set sharing notification as read when viewing profile [#5009](https://github.com/diaspora/diaspora/pull/5009) * Set sharing notification as read when viewing profile [#5009](https://github.com/diaspora/diaspora/pull/5009)
* Ensure a consistent border on text input elements [#5069](https://github.com/diaspora/diaspora/pull/5069) * Ensure a consistent border on text input elements [#5069](https://github.com/diaspora/diaspora/pull/5069)
* Escape person name in contacts json returned by Conversations#new
## Features ## Features
* Port admin pages to bootstrap, polish user search results, allow accounts to be closed from the backend [#5046](https://github.com/diaspora/diaspora/pull/5046) * Port admin pages to bootstrap, polish user search results, allow accounts to be closed from the backend [#5046](https://github.com/diaspora/diaspora/pull/5046)

2
app/controllers/conversations_controller.rb
View file

@ -85,7 +85,7 @@ class ConversationsController < ApplicationController
all_contacts_and_ids = Contact.connection.select_rows( all_contacts_and_ids = Contact.connection.select_rows(
current_user.contacts.where(:sharing => true).joins(:person => :profile). current_user.contacts.where(:sharing => true).joins(:person => :profile).
select("contacts.id, profiles.first_name, profiles.last_name, people.diaspora_handle").to_sql select("contacts.id, profiles.first_name, profiles.last_name, people.diaspora_handle").to_sql
).map{|r| {:value => r[0], :name => Person.name_from_attrs(r[1], r[2], r[3]).gsub(/(")/, "'")} } ).map{|r| {:value => r[0], :name => ERB::Util.h(Person.name_from_attrs(r[1], r[2], r[3]).gsub(/(")/, "'"))} }
@contact_ids = "" @contact_ids = ""

16
spec/controllers/conversations_controller_spec.rb
View file

@ -10,15 +10,13 @@ describe ConversationsController do
end end
describe '#new' do describe '#new' do
before do
get :new
end
it 'succeeds' do it 'succeeds' do
get :new
response.should be_success response.should be_success
end end
it "assigns a json list of contacts that are sharing with the person" do it "assigns a json list of contacts that are sharing with the person" do
get :new
assigns(:contacts_json).should include(alice.contacts.where(:sharing => true).first.person.name) assigns(:contacts_json).should include(alice.contacts.where(:sharing => true).first.person.name)
alice.contacts << Contact.new(:person_id => eve.person.id, :user_id => alice.id, :sharing => false, :receiving => true) alice.contacts << Contact.new(:person_id => eve.person.id, :user_id => alice.id, :sharing => false, :receiving => true)
assigns(:contacts_json).should_not include(alice.contacts.where(:sharing => false).first.person.name) assigns(:contacts_json).should_not include(alice.contacts.where(:sharing => false).first.person.name)
@ -41,6 +39,16 @@ describe ConversationsController do
response.body.should_not include xss response.body.should_not include xss
end end
end end
it "does not allow XSS via the profile name" do
xss = "<script>alert(0);</script>"
contact = alice.contacts.first
contact.person.profile.update_attribute(:first_name, xss)
get :new
json = JSON.parse(assigns(:contacts_json)).first
expect(json['value']).to eq(contact.id.to_s)
expect(json['name']).to_not include(xss)
end
end end
describe '#index' do describe '#index' do