Skip to content

D
diaspora
Commit e20f2ae5 authored by Steffen van Bergerem's avatar Steffen van Bergerem Committed by Dennis Schubert
Browse files
Options

Fix XSS in sharing message

parent 3ac340e0
Hide whitespace changes
Inline Side-by-side
Showing with 20 additions and 4 deletions
Changelog.md
View file @ e20f2ae5
# 0.5.5.1
* Fix XSS on profile pages
# 0.5.5.0
## Bug fixes
......
app/assets/javascripts/app/helpers/handlebars-helpers.js
View file @ e20f2ae5
......@@ -42,15 +42,15 @@ Handlebars.registerHelper('linkToPerson', function(context, block) {
});
// relationship indicator for profile page
Handlebars.registerHelper('sharingMessage', function(person) {
var i18n_scope = 'people.helper.is_not_sharing';
Handlebars.registerHelper("sharingMessage", function(person) {
var i18nScope = "people.helper.is_not_sharing";
var icon = "circle";
if( person.is_sharing ) {
i18n_scope = 'people.helper.is_sharing';
i18nScope = "people.helper.is_sharing";
icon = "entypo check";
}
var title = Diaspora.I18n.t(i18n_scope, {name: person.name});
var title = Diaspora.I18n.t(i18nScope, {name: _.escape(person.name)});
var html = '<span class="sharing_message_container" title="'+title+'" data-placement="bottom">'+
' <i id="sharing_message" class="'+icon+'"></i>'+
'</span>';
......
spec/javascripts/app/helpers/handlebars-helpers_spec.js 0 → 100644
View file @ e20f2ae5
describe("Handlebars helpers", function() {
beforeEach(function() {
Diaspora.I18n.load({people: {helper: {"is_not_sharing": "<%= name %> is not sharing with you"}}});
});
describe("sharingMessage", function() {
it("escapes the person's name", function() {
var person = { name: "\"><script>alert(0)</script> \"><script>alert(0)</script>"};
expect(Handlebars.helpers.sharingMessage(person)).not.toMatch(/<script>/);
});
});
});
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment