nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Escape person name in contacts json

Browse source 
jQuery autoSuggest uses .html to insert it into the DOM
This commit is contained in:
Jonne Haß 2014-08-30 20:04:36 +02:00
parent 5a4697e254
commit 5d549f553b
3 changed files with 20 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Changelog.md
View file

@ -22,6 +22,7 @@
* Set mention notification as read when viewing post [#5006](https://github.com/diaspora/diaspora/pull/5006) * Set mention notification as read when viewing post [#5006](https://github.com/diaspora/diaspora/pull/5006)
* Set sharing notification as read when viewing profile [#5009](https://github.com/diaspora/diaspora/pull/5009) * Set sharing notification as read when viewing profile [#5009](https://github.com/diaspora/diaspora/pull/5009)
* Ensure a consistent border on text input elements [#5069](https://github.com/diaspora/diaspora/pull/5069) * Ensure a consistent border on text input elements [#5069](https://github.com/diaspora/diaspora/pull/5069)
* Escape person name in contacts json returned by Conversations#new
## Features ## Features
* Port admin pages to bootstrap, polish user search results, allow accounts to be closed from the backend [#5046](https://github.com/diaspora/diaspora/pull/5046) * Port admin pages to bootstrap, polish user search results, allow accounts to be closed from the backend [#5046](https://github.com/diaspora/diaspora/pull/5046)

2
app/controllers/conversations_controller.rb
View file

@ -85,7 +85,7 @@ class ConversationsController < ApplicationController
all_contacts_and_ids = Contact.connection.select_rows( all_contacts_and_ids = Contact.connection.select_rows(
current_user.contacts.where(:sharing => true).joins(:person => :profile). current_user.contacts.where(:sharing => true).joins(:person => :profile).
select("contacts.id, profiles.first_name, profiles.last_name, people.diaspora_handle").to_sql select("contacts.id, profiles.first_name, profiles.last_name, people.diaspora_handle").to_sql
).map{|r| {:value => r[0], :name => Person.name_from_attrs(r[1], r[2], r[3]).gsub(/(")/, "'")} } ).map{|r| {:value => r[0], :name => ERB::Util.h(Person.name_from_attrs(r[1], r[2], r[3]).gsub(/(")/, "'"))} }
@contact_ids = "" @contact_ids = ""

28
spec/controllers/conversations_controller_spec.rb
View file

@ -10,15 +10,13 @@ describe ConversationsController do
end end
describe '#new' do describe '#new' do
before do
get :new
end
it 'succeeds' do it 'succeeds' do
get :new
response.should be_success response.should be_success
end end
it "assigns a json list of contacts that are sharing with the person" do it "assigns a json list of contacts that are sharing with the person" do
get :new
assigns(:contacts_json).should include(alice.contacts.where(:sharing => true).first.person.name) assigns(:contacts_json).should include(alice.contacts.where(:sharing => true).first.person.name)
alice.contacts << Contact.new(:person_id => eve.person.id, :user_id => alice.id, :sharing => false, :receiving => true) alice.contacts << Contact.new(:person_id => eve.person.id, :user_id => alice.id, :sharing => false, :receiving => true)
assigns(:contacts_json).should_not include(alice.contacts.where(:sharing => false).first.person.name) assigns(:contacts_json).should_not include(alice.contacts.where(:sharing => false).first.person.name)
@ -41,6 +39,16 @@ describe ConversationsController do
response.body.should_not include xss response.body.should_not include xss
end end
end end
it "does not allow XSS via the profile name" do
xss = "<script>alert(0);</script>"
contact = alice.contacts.first
contact.person.profile.update_attribute(:first_name, xss)
get :new
json = JSON.parse(assigns(:contacts_json)).first
expect(json['value']).to eq(contact.id.to_s)
expect(json['name']).to_not include(xss)
end
end end
describe '#index' do describe '#index' do
@ -53,20 +61,20 @@ describe ConversationsController do
} }
@conversations = Array.new(3) { Conversation.create(hash) } @conversations = Array.new(3) { Conversation.create(hash) }
end end
it 'succeeds' do it 'succeeds' do
get :index get :index
response.should be_success response.should be_success
assigns[:conversations].should =~ @conversations assigns[:conversations].should =~ @conversations
end end
it 'succeeds with json' do it 'succeeds with json' do
get :index, :format => :json get :index, :format => :json
response.should be_success response.should be_success
json = JSON.parse(response.body) json = JSON.parse(response.body)
json.first['conversation'].should be_present json.first['conversation'].should be_present
end end
it 'retrieves all conversations for a user' do it 'retrieves all conversations for a user' do
get :index get :index
assigns[:conversations].count.should == 3 assigns[:conversations].count.should == 3
@ -254,13 +262,13 @@ describe ConversationsController do
} }
@conversation = Conversation.create(hash) @conversation = Conversation.create(hash)
end end
it 'succeeds with js' do it 'succeeds with js' do
get :show, :id => @conversation.id, :format => :js get :show, :id => @conversation.id, :format => :js
response.should be_success response.should be_success
assigns[:conversation].should == @conversation assigns[:conversation].should == @conversation
end end
it 'succeeds with json' do it 'succeeds with json' do
get :show, :id => @conversation.id, :format => :json get :show, :id => @conversation.id, :format => :json
response.should be_success response.should be_success
@ -273,7 +281,7 @@ describe ConversationsController do
response.should redirect_to(conversations_path(:conversation_id => @conversation.id)) response.should redirect_to(conversations_path(:conversation_id => @conversation.id))
assigns[:conversation].should == @conversation assigns[:conversation].should == @conversation
end end
it 'does not let you access conversations where you are not a recipient' do it 'does not let you access conversations where you are not a recipient' do
sign_in :user, eve sign_in :user, eve