From 3ac340e03ea7d27013cbb011b12e96ccfe1e1ee7 Mon Sep 17 00:00:00 2001
From: Dennis Schubert <mail@dennis-schubert.de>
Date: Sun, 20 Dec 2015 00:06:19 +0100
Subject: [PATCH 1/3] Prepeare 0.5.5.1 hotfix

---
 config/defaults.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/defaults.yml b/config/defaults.yml
index 76ab9b5df..8ebef3e90 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -4,7 +4,7 @@
 
 defaults:
   version:
-    number: "0.5.5.0" # Do not touch unless doing a release, do not backport the version number that's in master
+    number: "0.5.5.1" # Do not touch unless doing a release, do not backport the version number that's in master
   heroku: false
   environment:
     url: "http://localhost:3000/"

From e20f2ae566d233de5133b1825542f47bb80afe21 Mon Sep 17 00:00:00 2001
From: Steffen van Bergerem <svbergerem@online.de>
Date: Thu, 17 Dec 2015 01:07:57 +0100
Subject: [PATCH 2/3] Fix XSS in sharing message

---
 Changelog.md                                         |  4 ++++
 .../javascripts/app/helpers/handlebars-helpers.js    |  8 ++++----
 .../app/helpers/handlebars-helpers_spec.js           | 12 ++++++++++++
 3 files changed, 20 insertions(+), 4 deletions(-)
 create mode 100644 spec/javascripts/app/helpers/handlebars-helpers_spec.js

diff --git a/Changelog.md b/Changelog.md
index 8cf3cb95f..e6a2d713e 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,3 +1,7 @@
+# 0.5.5.1
+
+* Fix XSS on profile pages
+
 # 0.5.5.0
 
 ## Bug fixes
diff --git a/app/assets/javascripts/app/helpers/handlebars-helpers.js b/app/assets/javascripts/app/helpers/handlebars-helpers.js
index 1862dc11b..d27f4df96 100644
--- a/app/assets/javascripts/app/helpers/handlebars-helpers.js
+++ b/app/assets/javascripts/app/helpers/handlebars-helpers.js
@@ -42,15 +42,15 @@ Handlebars.registerHelper('linkToPerson', function(context, block) {
 });
 
 // relationship indicator for profile page
-Handlebars.registerHelper('sharingMessage', function(person) {
-  var i18n_scope = 'people.helper.is_not_sharing';
+Handlebars.registerHelper("sharingMessage", function(person) {
+  var i18nScope = "people.helper.is_not_sharing";
   var icon = "circle";
   if( person.is_sharing ) {
-    i18n_scope = 'people.helper.is_sharing';
+    i18nScope = "people.helper.is_sharing";
     icon = "entypo check";
   }
 
-  var title = Diaspora.I18n.t(i18n_scope, {name: person.name});
+  var title = Diaspora.I18n.t(i18nScope, {name: _.escape(person.name)});
   var html = '<span class="sharing_message_container" title="'+title+'" data-placement="bottom">'+
              '  <i id="sharing_message" class="'+icon+'"></i>'+
              '</span>';
diff --git a/spec/javascripts/app/helpers/handlebars-helpers_spec.js b/spec/javascripts/app/helpers/handlebars-helpers_spec.js
new file mode 100644
index 000000000..1ea73894f
--- /dev/null
+++ b/spec/javascripts/app/helpers/handlebars-helpers_spec.js
@@ -0,0 +1,12 @@
+describe("Handlebars helpers", function() {
+  beforeEach(function() {
+    Diaspora.I18n.load({people: {helper: {"is_not_sharing": "<%= name %> is not sharing with you"}}});
+  });
+
+  describe("sharingMessage", function() {
+    it("escapes the person's name", function() {
+      var person = { name: "\"><script>alert(0)</script> \"><script>alert(0)</script>"};
+      expect(Handlebars.helpers.sharingMessage(person)).not.toMatch(/<script>/);
+    });
+  });
+});

From 3028b283e4c0888d8b3f20db482181d8b76c71f7 Mon Sep 17 00:00:00 2001
From: Dennis Schubert <mail@dennis-schubert.de>
Date: Sun, 20 Dec 2015 00:25:36 +0100
Subject: [PATCH 3/3] Bump nokogiri

---
 Changelog.md | 1 +
 Gemfile      | 2 +-
 Gemfile.lock | 8 ++++----
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index e6a2d713e..69d13f635 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,6 +1,7 @@
 # 0.5.5.1
 
 * Fix XSS on profile pages
+* Bump nokogiri to fix several libxml2 CVEs, see http://www.ubuntu.com/usn/usn-2834-1/
 
 # 0.5.5.0
 
diff --git a/Gemfile b/Gemfile
index 263e8c4a4..d7f3e031a 100644
--- a/Gemfile
+++ b/Gemfile
@@ -126,7 +126,7 @@ gem "messagebus_ruby_api", "1.0.3"
 
 # Parsing
 
-gem "nokogiri",          "1.6.6.4"
+gem "nokogiri",          "1.6.7.1"
 gem "redcarpet",         "3.3.3"
 gem "twitter-text",      "1.13.0"
 gem "roxml",             "3.1.6"
diff --git a/Gemfile.lock b/Gemfile.lock
index a65ca2f33..30fcf3819 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -433,7 +433,7 @@ GEM
     method_source (0.8.2)
     mime-types (2.6.2)
     mini_magick (4.3.6)
-    mini_portile (0.6.2)
+    mini_portile2 (2.0.0)
     minitest (5.8.2)
     mobile-fu (1.3.1)
       rack-mobile-detect
@@ -450,8 +450,8 @@ GEM
       net-ssh (>= 2.6.5)
     net-ssh (3.0.1)
     nio4r (1.1.1)
-    nokogiri (1.6.6.4)
-      mini_portile (~> 0.6.0)
+    nokogiri (1.6.7.1)
+      mini_portile2 (~> 2.0.0.rc2)
     notiffany (0.0.8)
       nenv (~> 0.1)
       shellany (~> 0.0)
@@ -813,7 +813,7 @@ DEPENDENCIES
   minitest
   mobile-fu (= 1.3.1)
   mysql2 (= 0.3.20)
-  nokogiri (= 1.6.6.4)
+  nokogiri (= 1.6.7.1)
   omniauth (= 1.2.2)
   omniauth-facebook (= 2.0.1)
   omniauth-tumblr (= 1.1)