From 293445225a3de9d1fc68fb86a4feacffe1113c51 Mon Sep 17 00:00:00 2001
From: Dorian <pr.dorian@gmail.com>
Date: Fri, 24 Dec 2010 15:33:04 +0100
Subject: [PATCH 1/2] Don't let user put HTML in alt and title image attribute
 of avatar

---
 app/helpers/application_helper.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 08e4648e3..c06ca09bd 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -124,7 +124,7 @@ module ApplicationHelper
   end
 
   def person_image_tag(person, size=:thumb_small)
-    "<img alt='#{person.name}' class='avatar' data-person_id='#{person.id}' src='#{image_or_default(person, size)}' title='#{person.name}'>".html_safe
+    "<img alt=\"#{h(person.name)}\" class=\"avatar\" data-person_id=\"#{person.id}\" src=\"#{image_or_default(person, size)}\" title=\"#{h(person.name)}\">".html_safe
   end
 
   def person_link(person)

From 5cbccda33a00009724b9d223c41d22c5dc95eba1 Mon Sep 17 00:00:00 2001
From: Dorian <pr.dorian@gmail.com>
Date: Fri, 24 Dec 2010 15:49:26 +0100
Subject: [PATCH 2/2] Spec for not allowing user to do the XSS

---
 spec/helpers/application_helper_spec.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/spec/helpers/application_helper_spec.rb b/spec/helpers/application_helper_spec.rb
index 440ccb025..a6633eafa 100644
--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@@ -41,6 +41,14 @@ describe ApplicationHelper do
       person_image_link(@person).should include(person_path(@person))
     end
   end
+  
+  describe "#person_image_tag" do
+    it "should not allow basic XSS/HTML" do
+      @person.profile.first_name = "I'm <h1>Evil"
+      @person.profile.last_name = "I'm <h1>Evil"
+      person_image_tag(@person).should_not include("<h1>")
+    end
+  end
 
   describe "markdownify" do
     describe "autolinks" do