From ecb1b80e2471dda43838bbc43b62759bb4d5fe00 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonne=20Ha=C3=9F?= <me@mrzyx.de>
Date: Sat, 24 May 2014 16:08:32 +0200
Subject: [PATCH] Render flash message content with .text

.html does not escape any html input in these, leading to XSS
attack vectors.

Thanks to A Kai (@sixhundredns) for reporting the related issues.
---
 .../javascripts/widgets/flash-messages.js     |  2 +-
 features/desktop/connects_users.feature       | 19 ++++++++++++++++---
 features/desktop/signs_up.feature             |  7 +++++++
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/app/assets/javascripts/widgets/flash-messages.js b/app/assets/javascripts/widgets/flash-messages.js
index 5c2dcf7e4..377120991 100644
--- a/app/assets/javascripts/widgets/flash-messages.js
+++ b/app/assets/javascripts/widgets/flash-messages.js
@@ -19,7 +19,7 @@
       .html($("<div/>", {
         'class': "message"
         })
-        .html(result.notice))
+        .text(result.notice))
       .prependTo(document.body);
 
 
diff --git a/features/desktop/connects_users.feature b/features/desktop/connects_users.feature
index 62c860e42..efa6f4a05 100644
--- a/features/desktop/connects_users.feature
+++ b/features/desktop/connects_users.feature
@@ -44,6 +44,19 @@ Feature: following and being followed
     When I am on the home page
     Then I should see "I am ALICE"
 
+  Scenario: I follow a malicious user
+    When I sign in as "bob@bob.bob"
+    And I go to the edit profile page
+    And I fill in the following:
+      | profile_first_name         | <script>alert(0)//   |
+    And I press "update_profile"
+    Then I should be on my edit profile page
+
+    When I sign in as "alice@alice.alice"
+    And I am on "bob@bob.bob"'s page
+    And I add the person to my "Besties" aspect
+    Then I should see a flash message containing "You have started sharing with <script>alert(0)//!"
+
   Scenario: seeing non-public posts of someone you follow who also follows you
     When I sign in as "alice@alice.alice"
     And I am on "bob@bob.bob"'s page
@@ -87,7 +100,7 @@ Feature: following and being followed
     When I sign in as "bob@bob.bob"
     And I am on "alice@alice.alice"'s page
 
-    Then I should see "Besties" 
+    Then I should see "Besties"
     Then I should see a "#mention_button" within "#profile"
     Then I should not see a "#message_button" within "#profile"
 
@@ -107,6 +120,6 @@ Feature: following and being followed
     And I add the person to my "Unicorns" aspect
 
     When I go to "bob@bob.bob"'s page
-    Then I should see "All Aspects" 
-    Then I should see a "#mention_button" within "#profile" 
+    Then I should see "All Aspects"
+    Then I should see a "#mention_button" within "#profile"
     Then I should see a "#message_button" within "#profile"
diff --git a/features/desktop/signs_up.feature b/features/desktop/signs_up.feature
index 93a07470d..ce8fb7d08 100644
--- a/features/desktop/signs_up.feature
+++ b/features/desktop/signs_up.feature
@@ -16,6 +16,13 @@ Feature: new user registration
     Then I should be on the stream page
     And I should not see "awesome_button"
 
+  Scenario: new user tries to XSS itself
+    When I fill in the following:
+      | profile_first_name | <script>alert(0)// |
+    And I focus the "follow_tags" field
+    Then I should see a flash message containing "Hey, <script>alert(0)//!"
+
+
   Scenario: new user does not add any tags in setup wizard and cancel the alert
     When I fill in the following:
       | profile_first_name | some name     |