Fix XSS in sharing message

Changelog.md

@@ -1,3 +1,7 @@
+# 0.5.5.1
+
+* Fix XSS on profile pages
+
 # 0.5.5.0
 
 ## Bug fixes

app/assets/javascripts/app/helpers/handlebars-helpers.js

@@ -42,15 +42,15 @@ Handlebars.registerHelper('linkToPerson', function(context, block) {
 });
 
 // relationship indicator for profile page
-Handlebars.registerHelper('sharingMessage', function(person) {
+Handlebars.registerHelper("sharingMessage", function(person) {
-  var i18n_scope = 'people.helper.is_not_sharing';
+  var i18nScope = "people.helper.is_not_sharing";
   var icon = "circle";
   if( person.is_sharing ) {
-    i18n_scope = 'people.helper.is_sharing';
+    i18nScope = "people.helper.is_sharing";
     icon = "entypo check";
   }
 
-  var title = Diaspora.I18n.t(i18n_scope, {name: person.name});
+  var title = Diaspora.I18n.t(i18nScope, {name: _.escape(person.name)});
   var html = '<span class="sharing_message_container" title="'+title+'" data-placement="bottom">'+
              '  <i id="sharing_message" class="'+icon+'"></i>'+
              '</span>';

spec/javascripts/app/helpers/handlebars-helpers_spec.js

@@ -0,0 +1,12 @@
+describe("Handlebars helpers", function() {
+  beforeEach(function() {
+    Diaspora.I18n.load({people: {helper: {"is_not_sharing": "<%= name %> is not sharing with you"}}});
+  });
+
+  describe("sharingMessage", function() {
+    it("escapes the person's name", function() {
+      var person = { name: "\"><script>alert(0)</script> \"><script>alert(0)</script>"};
+      expect(Handlebars.helpers.sharingMessage(person)).not.toMatch(/<script>/);
+    });
+  });
+});