nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix XSS issue in poll questions

Browse source 
closes #5274
This commit is contained in:
Jonne Haß 2014-10-03 17:12:11 +02:00
parent dcb0d8dd58
commit a5ca738e91
4 changed files with 17 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Changelog.md
View file

@ -1,3 +1,7 @@
# 0.4.1.1
* Fix XSS issue in poll questions [#5274](https://github.com/diaspora/diaspora/issues/5274)
# 0.4.1.0 # 0.4.1.0
## New 'Terms of Service' feature and template ## New 'Terms of Service' feature and template

6
app/assets/templates/poll_tpl.jst.hbs
View file

@ -1,7 +1,7 @@
{{#if poll}} {{#if poll}}
<div class="poll_form"> <div class="poll_form">
<div class="row-fluid poll_head"> <div class="row-fluid poll_head">
<strong>{{{poll.question}}}</strong> <strong>{{poll.question}}</strong>
<div class="poll_statistic pull-right"> <div class="poll_statistic pull-right">
{{t "poll.count" count=poll.participation_count}} {{t "poll.count" count=poll.participation_count}}
</div> </div>
@ -12,13 +12,13 @@
{{#poll.poll_answers}} {{#poll.poll_answers}}
<label class="radio result-row"> <label class="radio result-row">
<input type="radio" name="vote" value="{{id}}"/> <input type="radio" name="vote" value="{{id}}"/>
{{answer}} {{answer}}
<span class="percentage pull-right" style="display: none;"></span> <span class="percentage pull-right" style="display: none;"></span>
<div class="poll_progress_bar_wrapper progress" style="display: none"> <div class="poll_progress_bar_wrapper progress" style="display: none">
<div class="poll_progress_bar bar" data-answerid="{{id}}"> <div class="poll_progress_bar bar" data-answerid="{{id}}">
</div> </div>
</div> </div>
</label> </label>
{{/poll.poll_answers}} {{/poll.poll_answers}}
<div class="toggle_result_wrapper"> <div class="toggle_result_wrapper">
<a class="toggle_result" href="#">{{t "poll.show_result"}}</a> <a class="toggle_result" href="#">{{t "poll.show_result"}}</a>

2
config/defaults.yml
View file

@ -4,7 +4,7 @@
defaults: defaults:
version: version:
number: "0.4.1.0" # Do not touch unless doing a release, do not backport the version number that's in master but keep develop to always say "head" number: "0.4.1.1" # Do not touch unless doing a release, do not backport the version number that's in master but keep develop to always say "head"
heroku: false heroku: false
environment: environment:
url: "http://localhost:3000/" url: "http://localhost:3000/"

9
spec/javascripts/app/views/poll_view_spec.js
View file

@ -35,6 +35,15 @@ describe("app.views.Poll", function(){
}) })
}); });
describe("render", function() {
it("escapes the poll question", function() {
var question = "<script>alert(0);</script>";
this.view.poll.question = question;
this.view.render();
expect(this.view.$('.poll_head strong').text()).toBe(question);
});
});
describe("vote form", function(){ describe("vote form", function(){
it('show vote form when user is logged in and not voted before', function(){ it('show vote form when user is logged in and not voted before', function(){
expect(this.view.$('form').length).toBe(1); expect(this.view.$('form').length).toBe(1);