fix XSS vulnerability in conversations#new, closes #4010

Changelog.md

@@ -13,6 +13,10 @@
 * Deleting a post that was shared to Facebook now deletes it from Facebook too [#3980]( https://github.com/diaspora/diaspora/pull/3980)
 * Include reshares in a users public atom feed [#1781](https://github.com/diaspora/diaspora/issues/1781)
 
+# 0.0.3.2
+
+* Fix XSS vulnerability in conversations#new [#4010](https://github.com/diaspora/diaspora/issues/4010)
+
 # 0.0.3.1
 
 * exec foreman in ./script/server to replace the process so that we can Ctrl+C it again.

app/views/conversations/new.haml

@@ -20,7 +20,7 @@
       keyDelay: 0,
       startText: '',
       emptyText: '#{t('no_results')}',
-      preFill: [{name : "#{params[:name]}",
+      preFill: [{name : "#{h params[:name]}",
                  value : "#{@contact_ids}"}]
       });
     autocompleteInput.focus();

spec/controllers/conversations_controller_spec.rb

@@ -33,6 +33,14 @@ describe ConversationsController do
       get :new, :aspect_id => alice.aspects.first.id
       assigns(:contact_ids).should == alice.aspects.first.contacts.map(&:id).join(',')
     end
+
+    it "does not allow XSS via the name parameter" do
+      ["</script><script>alert(1);</script>",
+       '"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss|
+        get :new, name: xss
+        response.body.should_not include xss
+      end
+    end
   end
 
   describe '#index' do