From a5b4dd260418a20889e3c075f33ed412754ea943 Mon Sep 17 00:00:00 2001
From: Raphael <raphael@joindiaspora.com>
Date: Wed, 19 Jan 2011 16:57:29 -0800
Subject: [PATCH] fix js bug, add spec

---
 app/views/shared/_public_explain.haml      |  4 ++--
 spec/controllers/people_controller_spec.rb | 10 ++++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/app/views/shared/_public_explain.haml b/app/views/shared/_public_explain.haml
index da63b210e..633cd1037 100644
--- a/app/views/shared/_public_explain.haml
+++ b/app/views/shared/_public_explain.haml
@@ -11,7 +11,7 @@
     %br
 
     - if current_user.services
-      - for service in current_user.services 
+      - for service in current_user.services
         = t('.logged_in', :service => service.provider)
         %br
 
@@ -19,4 +19,4 @@
 
     %br
     %br
-    = link_to t('ok'), '#', :class => "button", :onClick => '$.fancybox.close();'
+    = link_to t('ok'), '#', :class => "button", :onClick => '$.facebox.close();'
diff --git a/spec/controllers/people_controller_spec.rb b/spec/controllers/people_controller_spec.rb
index 4194e5f7a..2f603cccf 100644
--- a/spec/controllers/people_controller_spec.rb
+++ b/spec/controllers/people_controller_spec.rb
@@ -152,6 +152,16 @@ describe PeopleController do
       response.should be_success
     end
 
+    it 'does not allow xss attacks' do
+      user2 = bob
+      profile = user2.profile
+      profile.first_name = "<script> alert('xss attack');</script>"
+      profile.save
+      get :show, :id => user2.person.id
+      response.should be_success
+      response.body.match(profile.first_name).should be_false
+    end
+
     it "renders the show page of a non-contact" do
       user2 = eve
       get :show, :id => user2.person.id