diff --git a/Changelog.md b/Changelog.md
index 8cf3cb95f..e6a2d713e 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,3 +1,7 @@
+# 0.5.5.1
+
+* Fix XSS on profile pages
+
# 0.5.5.0
## Bug fixes
diff --git a/app/assets/javascripts/app/helpers/handlebars-helpers.js b/app/assets/javascripts/app/helpers/handlebars-helpers.js
index 1862dc11b..d27f4df96 100644
--- a/app/assets/javascripts/app/helpers/handlebars-helpers.js
+++ b/app/assets/javascripts/app/helpers/handlebars-helpers.js
@@ -42,15 +42,15 @@ Handlebars.registerHelper('linkToPerson', function(context, block) {
});
// relationship indicator for profile page
-Handlebars.registerHelper('sharingMessage', function(person) {
- var i18n_scope = 'people.helper.is_not_sharing';
+Handlebars.registerHelper("sharingMessage", function(person) {
+ var i18nScope = "people.helper.is_not_sharing";
var icon = "circle";
if( person.is_sharing ) {
- i18n_scope = 'people.helper.is_sharing';
+ i18nScope = "people.helper.is_sharing";
icon = "entypo check";
}
- var title = Diaspora.I18n.t(i18n_scope, {name: person.name});
+ var title = Diaspora.I18n.t(i18nScope, {name: _.escape(person.name)});
var html = ''+
' '+
'';
diff --git a/spec/javascripts/app/helpers/handlebars-helpers_spec.js b/spec/javascripts/app/helpers/handlebars-helpers_spec.js
new file mode 100644
index 000000000..1ea73894f
--- /dev/null
+++ b/spec/javascripts/app/helpers/handlebars-helpers_spec.js
@@ -0,0 +1,12 @@
+describe("Handlebars helpers", function() {
+ beforeEach(function() {
+ Diaspora.I18n.load({people: {helper: {"is_not_sharing": "<%= name %> is not sharing with you"}}});
+ });
+
+ describe("sharingMessage", function() {
+ it("escapes the person's name", function() {
+ var person = { name: "\"> \">"};
+ expect(Handlebars.helpers.sharingMessage(person)).not.toMatch(/