From cf9659de4a88aa4606576ed8dc7a422e8377805d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonne=20Ha=C3=9F?= <me@mrzyx.de>
Date: Tue, 26 Feb 2013 18:44:49 +0100
Subject: [PATCH] fix XSS vulnerability in conversations#new, closes #4010

---
 Changelog.md                                      | 4 ++++
 app/views/conversations/new.haml                  | 2 +-
 spec/controllers/conversations_controller_spec.rb | 8 ++++++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/Changelog.md b/Changelog.md
index dde16f14e..c86a5dbec 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -13,6 +13,10 @@
 * Deleting a post that was shared to Facebook now deletes it from Facebook too [#3980]( https://github.com/diaspora/diaspora/pull/3980)
 * Include reshares in a users public atom feed [#1781](https://github.com/diaspora/diaspora/issues/1781)
 
+# 0.0.3.2
+
+* Fix XSS vulnerability in conversations#new [#4010](https://github.com/diaspora/diaspora/issues/4010)
+
 # 0.0.3.1
 
 * exec foreman in ./script/server to replace the process so that we can Ctrl+C it again.
diff --git a/app/views/conversations/new.haml b/app/views/conversations/new.haml
index afab424df..484534866 100644
--- a/app/views/conversations/new.haml
+++ b/app/views/conversations/new.haml
@@ -20,7 +20,7 @@
       keyDelay: 0,
       startText: '',
       emptyText: '#{t('no_results')}',
-      preFill: [{name : "#{params[:name]}",
+      preFill: [{name : "#{h params[:name]}",
                  value : "#{@contact_ids}"}]
       });
     autocompleteInput.focus();
diff --git a/spec/controllers/conversations_controller_spec.rb b/spec/controllers/conversations_controller_spec.rb
index a0963bcf8..60e3bf739 100644
--- a/spec/controllers/conversations_controller_spec.rb
+++ b/spec/controllers/conversations_controller_spec.rb
@@ -33,6 +33,14 @@ describe ConversationsController do
       get :new, :aspect_id => alice.aspects.first.id
       assigns(:contact_ids).should == alice.aspects.first.contacts.map(&:id).join(',')
     end
+
+    it "does not allow XSS via the name parameter" do
+      ["</script><script>alert(1);</script>",
+       '"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss|
+        get :new, name: xss
+        response.body.should_not include xss
+      end
+    end
   end
 
   describe '#index' do