Render flash message content with .text

.html does not escape any html input in these, leading to XSS
attack vectors.

Thanks to A Kai (@sixhundredns) for reporting the related issues.

app/assets/javascripts/widgets/flash-messages.js

@@ -19,7 +19,7 @@
       .html($("<div/>", {
         'class': "message"
         })
-        .html(result.notice))
+        .text(result.notice))
       .prependTo(document.body);
 
 

features/desktop/connects_users.feature

@@ -44,6 +44,19 @@ Feature: following and being followed
     When I am on the home page
     Then I should see "I am ALICE"
 
+  Scenario: I follow a malicious user
+    When I sign in as "bob@bob.bob"
+    And I go to the edit profile page
+    And I fill in the following:
+      | profile_first_name         | <script>alert(0)//   |
+    And I press "update_profile"
+    Then I should be on my edit profile page
+
+    When I sign in as "alice@alice.alice"
+    And I am on "bob@bob.bob"'s page
+    And I add the person to my "Besties" aspect
+    Then I should see a flash message containing "You have started sharing with <script>alert(0)//!"
+
   Scenario: seeing non-public posts of someone you follow who also follows you
     When I sign in as "alice@alice.alice"
     And I am on "bob@bob.bob"'s page

features/desktop/signs_up.feature

@@ -16,6 +16,13 @@ Feature: new user registration
     Then I should be on the stream page
     And I should not see "awesome_button"
 
+  Scenario: new user tries to XSS itself
+    When I fill in the following:
+      | profile_first_name | <script>alert(0)// |
+    And I focus the "follow_tags" field
+    Then I should see a flash message containing "Hey, <script>alert(0)//!"
+
+
   Scenario: new user does not add any tags in setup wizard and cancel the alert
     When I fill in the following:
       | profile_first_name | some name     |