Fix XSS issue in poll questions

closes #5274

Changelog.md

@@ -1,3 +1,7 @@
+# 0.4.1.1
+
+* Fix XSS issue in poll questions [#5274](https://github.com/diaspora/diaspora/issues/5274)
+
 # 0.4.1.0
 
 ## New 'Terms of Service' feature and template

app/assets/templates/poll_tpl.jst.hbs

@@ -1,7 +1,7 @@
 {{#if poll}}
   <div class="poll_form">
     <div class="row-fluid poll_head">
-      <strong>{{{poll.question}}}</strong>
+      <strong>{{poll.question}}</strong>
       <div class="poll_statistic pull-right">
         {{t "poll.count" count=poll.participation_count}}
       </div>

config/defaults.yml

@@ -4,7 +4,7 @@
 
 defaults:
   version:
-    number: "0.4.1.0" # Do not touch unless doing a release, do not backport the version number that's in master but keep develop to always say "head"
+    number: "0.4.1.1" # Do not touch unless doing a release, do not backport the version number that's in master but keep develop to always say "head"
   heroku: false
   environment:
     url: "http://localhost:3000/"

spec/javascripts/app/views/poll_view_spec.js

@@ -35,6 +35,15 @@ describe("app.views.Poll", function(){
     })
   });
 
+  describe("render", function() {
+    it("escapes the poll question", function() {
+      var question = "<script>alert(0);</script>";
+      this.view.poll.question = question;
+      this.view.render();
+      expect(this.view.$('.poll_head strong').text()).toBe(question);
+    });
+  });
+
   describe("vote form", function(){
     it('show vote form when user is logged in and not voted before', function(){
       expect(this.view.$('form').length).toBe(1);