Render flash message content with .text

.html does not escape any html input in these, leading to XSS attack vectors. Thanks to A Kai (@sixhundredns) for reporting the related issues.
2014-05-24 16:08:32 +02:00 · 2014-05-24 16:08:32 +02:00 · ecb1b80e24
commit ecb1b80e24
parent d36589e05b
3 changed files with 24 additions and 4 deletions
--- a/app/assets/javascripts/widgets/flash-messages.js
+++ b/app/assets/javascripts/widgets/flash-messages.js
@ -19,7 +19,7 @@
      .html($("<div/>", {
        'class': "message"
        })
-        .html(result.notice))
+        .text(result.notice))
      .prependTo(document.body);


--- a/features/desktop/connects_users.feature
+++ b/features/desktop/connects_users.feature
@ -44,6 +44,19 @@ Feature: following and being followed
    When I am on the home page
    Then I should see "I am ALICE"

+  Scenario: I follow a malicious user
+    When I sign in as "bob@bob.bob"
+    And I go to the edit profile page
+    And I fill in the following:
+      | profile_first_name         | <script>alert(0)//   |
+    And I press "update_profile"
+    Then I should be on my edit profile page
+
+    When I sign in as "alice@alice.alice"
+    And I am on "bob@bob.bob"'s page
+    And I add the person to my "Besties" aspect
+    Then I should see a flash message containing "You have started sharing with <script>alert(0)//!"
+
  Scenario: seeing non-public posts of someone you follow who also follows you
    When I sign in as "alice@alice.alice"
    And I am on "bob@bob.bob"'s page
@ -87,7 +100,7 @@ Feature: following and being followed
    When I sign in as "bob@bob.bob"
    And I am on "alice@alice.alice"'s page

-    Then I should see "Besties" 
+    Then I should see "Besties"
    Then I should see a "#mention_button" within "#profile"
    Then I should not see a "#message_button" within "#profile"

@ -107,6 +120,6 @@ Feature: following and being followed
    And I add the person to my "Unicorns" aspect

    When I go to "bob@bob.bob"'s page
-    Then I should see "All Aspects" 
-    Then I should see a "#mention_button" within "#profile" 
+    Then I should see "All Aspects"
+    Then I should see a "#mention_button" within "#profile"
    Then I should see a "#message_button" within "#profile"
--- a/features/desktop/signs_up.feature
+++ b/features/desktop/signs_up.feature
@ -16,6 +16,13 @@ Feature: new user registration
    Then I should be on the stream page
    And I should not see "awesome_button"

+  Scenario: new user tries to XSS itself
+    When I fill in the following:
+      | profile_first_name | <script>alert(0)// |
+    And I focus the "follow_tags" field
+    Then I should see a flash message containing "Hey, <script>alert(0)//!"
+
+
  Scenario: new user does not add any tags in setup wizard and cancel the alert
    When I fill in the following:
      | profile_first_name | some name     |