Commit 1959f0d9 authored by Jonne Haß's avatar Jonne Haß
Browse files

Merge branch 'hotfix/0.4.1.1' into develop

Conflicts:
	Changelog.md
	config/defaults.yml
parents 648a45b4 a5ca738e
...@@ -60,6 +60,10 @@ The default for including jQuery from a CDN has changed. If you want to continue ...@@ -60,6 +60,10 @@ The default for including jQuery from a CDN has changed. If you want to continue
* Increase possible captcha length [#5169](https://github.com/diaspora/diaspora/pull/5169) * Increase possible captcha length [#5169](https://github.com/diaspora/diaspora/pull/5169)
* Display visibility icon in publisher aspects dropdown [#4982](https://github.com/diaspora/diaspora/pull/4982) * Display visibility icon in publisher aspects dropdown [#4982](https://github.com/diaspora/diaspora/pull/4982)
# 0.4.1.1
* Fix XSS issue in poll questions [#5274](https://github.com/diaspora/diaspora/issues/5274)
# 0.4.1.0 # 0.4.1.0
## New 'Terms of Service' feature and template ## New 'Terms of Service' feature and template
......
{{#if poll}} {{#if poll}}
<div class="poll_form"> <div class="poll_form">
<div class="row-fluid poll_head"> <div class="row-fluid poll_head">
<strong>{{{poll.question}}}</strong> <strong>{{poll.question}}</strong>
<div class="poll_statistic pull-right"> <div class="poll_statistic pull-right">
{{t "poll.count" count=poll.participation_count}} {{t "poll.count" count=poll.participation_count}}
</div> </div>
...@@ -12,13 +12,13 @@ ...@@ -12,13 +12,13 @@
{{#poll.poll_answers}} {{#poll.poll_answers}}
<label class="radio result-row"> <label class="radio result-row">
<input type="radio" name="vote" value="{{id}}"/> <input type="radio" name="vote" value="{{id}}"/>
{{answer}} {{answer}}
<span class="percentage pull-right" style="display: none;"></span> <span class="percentage pull-right" style="display: none;"></span>
<div class="poll_progress_bar_wrapper progress" style="display: none"> <div class="poll_progress_bar_wrapper progress" style="display: none">
<div class="poll_progress_bar bar" data-answerid="{{id}}"> <div class="poll_progress_bar bar" data-answerid="{{id}}">
</div> </div>
</div> </div>
</label> </label>
{{/poll.poll_answers}} {{/poll.poll_answers}}
<div class="toggle_result_wrapper"> <div class="toggle_result_wrapper">
<a class="toggle_result" href="#">{{t "poll.show_result"}}</a> <a class="toggle_result" href="#">{{t "poll.show_result"}}</a>
......
...@@ -35,6 +35,15 @@ describe("app.views.Poll", function(){ ...@@ -35,6 +35,15 @@ describe("app.views.Poll", function(){
}) })
}); });
describe("render", function() {
it("escapes the poll question", function() {
var question = "<script>alert(0);</script>";
this.view.poll.question = question;
this.view.render();
expect(this.view.$('.poll_head strong').text()).toBe(question);
});
});
describe("vote form", function(){ describe("vote form", function(){
it('show vote form when user is logged in and not voted before', function(){ it('show vote form when user is logged in and not voted before', function(){
expect(this.view.$('form').length).toBe(1); expect(this.view.$('form').length).toBe(1);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment