From a5ca738e91fc82a96e2d2f754b5f9c5b6f1323ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonne=20Ha=C3=9F?= <me@jhass.eu>
Date: Fri, 3 Oct 2014 17:12:11 +0200
Subject: [PATCH] Fix XSS issue in poll questions

closes #5274
---
 Changelog.md                                 | 4 ++++
 app/assets/templates/poll_tpl.jst.hbs        | 6 +++---
 config/defaults.yml                          | 2 +-
 spec/javascripts/app/views/poll_view_spec.js | 9 +++++++++
 4 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 9c56bddc5..9c0c976da 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,3 +1,7 @@
+# 0.4.1.1
+
+* Fix XSS issue in poll questions [#5274](https://github.com/diaspora/diaspora/issues/5274)
+
 # 0.4.1.0
 
 ## New 'Terms of Service' feature and template
diff --git a/app/assets/templates/poll_tpl.jst.hbs b/app/assets/templates/poll_tpl.jst.hbs
index 20def69b1..f9aad7f18 100644
--- a/app/assets/templates/poll_tpl.jst.hbs
+++ b/app/assets/templates/poll_tpl.jst.hbs
@@ -1,7 +1,7 @@
 {{#if poll}}
   <div class="poll_form">
     <div class="row-fluid poll_head">
-      <strong>{{{poll.question}}}</strong>
+      <strong>{{poll.question}}</strong>
       <div class="poll_statistic pull-right">
         {{t "poll.count" count=poll.participation_count}}
       </div>
@@ -12,13 +12,13 @@
           {{#poll.poll_answers}}
             <label class="radio result-row">
               <input type="radio" name="vote" value="{{id}}"/>
-              {{answer}} 
+              {{answer}}
               <span class="percentage pull-right" style="display: none;"></span>
               <div class="poll_progress_bar_wrapper progress" style="display: none">
                 <div class="poll_progress_bar bar" data-answerid="{{id}}">
               </div>
             </div>
-            </label>  
+            </label>
           {{/poll.poll_answers}}
           <div class="toggle_result_wrapper">
             <a class="toggle_result" href="#">{{t "poll.show_result"}}</a>
diff --git a/config/defaults.yml b/config/defaults.yml
index c68d47847..743f03e40 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -4,7 +4,7 @@
 
 defaults:
   version:
-    number: "0.4.1.0" # Do not touch unless doing a release, do not backport the version number that's in master but keep develop to always say "head"
+    number: "0.4.1.1" # Do not touch unless doing a release, do not backport the version number that's in master but keep develop to always say "head"
   heroku: false
   environment:
     url: "http://localhost:3000/"
diff --git a/spec/javascripts/app/views/poll_view_spec.js b/spec/javascripts/app/views/poll_view_spec.js
index 1fa4442dd..bbb2dccad 100644
--- a/spec/javascripts/app/views/poll_view_spec.js
+++ b/spec/javascripts/app/views/poll_view_spec.js
@@ -35,6 +35,15 @@ describe("app.views.Poll", function(){
     })
   });
 
+  describe("render", function() {
+    it("escapes the poll question", function() {
+      var question = "<script>alert(0);</script>";
+      this.view.poll.question = question;
+      this.view.render();
+      expect(this.view.$('.poll_head strong').text()).toBe(question);
+    });
+  });
+
   describe("vote form", function(){
     it('show vote form when user is logged in and not voted before', function(){
       expect(this.view.$('form').length).toBe(1);