Commit e20f2ae5 authored by Steffen van Bergerem's avatar Steffen van Bergerem Committed by Dennis Schubert

Fix XSS in sharing message

parent 3ac340e0
# 0.5.5.1
* Fix XSS on profile pages
# 0.5.5.0
## Bug fixes
......
......@@ -42,15 +42,15 @@ Handlebars.registerHelper('linkToPerson', function(context, block) {
});
// relationship indicator for profile page
Handlebars.registerHelper('sharingMessage', function(person) {
var i18n_scope = 'people.helper.is_not_sharing';
Handlebars.registerHelper("sharingMessage", function(person) {
var i18nScope = "people.helper.is_not_sharing";
var icon = "circle";
if( person.is_sharing ) {
i18n_scope = 'people.helper.is_sharing';
i18nScope = "people.helper.is_sharing";
icon = "entypo check";
}
var title = Diaspora.I18n.t(i18n_scope, {name: person.name});
var title = Diaspora.I18n.t(i18nScope, {name: _.escape(person.name)});
var html = '<span class="sharing_message_container" title="'+title+'" data-placement="bottom">'+
' <i id="sharing_message" class="'+icon+'"></i>'+
'</span>';
......
describe("Handlebars helpers", function() {
beforeEach(function() {
Diaspora.I18n.load({people: {helper: {"is_not_sharing": "<%= name %> is not sharing with you"}}});
});
describe("sharingMessage", function() {
it("escapes the person's name", function() {
var person = { name: "\"><script>alert(0)</script> \"><script>alert(0)</script>"};
expect(Handlebars.helpers.sharingMessage(person)).not.toMatch(/<script>/);
});
});
});
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment