From d3487c8b7d366a5709d76f74c6762698a71e0e16 Mon Sep 17 00:00:00 2001
From: Maxwell Salzberg <maxwell@joindiaspora.com>
Date: Sat, 16 Jun 2012 14:59:51 -0700
Subject: [PATCH] fix sa mall possible xss in personImage handlebar helpers if
 the attacker had access to your root domain. fixes #3392

---
 app/assets/javascripts/app/helpers/handlebars-helpers.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/assets/javascripts/app/helpers/handlebars-helpers.js b/app/assets/javascripts/app/helpers/handlebars-helpers.js
index da747a669..e1984aed2 100644
--- a/app/assets/javascripts/app/helpers/handlebars-helpers.js
+++ b/app/assets/javascripts/app/helpers/handlebars-helpers.js
@@ -22,5 +22,5 @@ Handlebars.registerHelper('personImage', function(person, size, imageClass) {
   size = (typeof(size) != "string" ? "small" : size);
   imageClass = (typeof(imageClass) != "string" ? size : imageClass);
 
-  return "<img src=\"" + person.avatar[size] +"\" class=\"avatar " + imageClass + "\" title=\"" + person.name +"\" />";
+  return "<img src=\"" + person.avatar[size] +"\" class=\"avatar " + imageClass + "\" title=\"" + _.escape(person.name) +"\" />";
 })