Loading Changelog.md +4 −0 Original line number Diff line number Diff line # 0.5.5.1 * Fix XSS on profile pages # 0.5.5.0 ## Bug fixes Loading app/assets/javascripts/app/helpers/handlebars-helpers.js +4 −4 Original line number Diff line number Diff line Loading @@ -42,15 +42,15 @@ Handlebars.registerHelper('linkToPerson', function(context, block) { }); // relationship indicator for profile page Handlebars.registerHelper('sharingMessage', function(person) { var i18n_scope = 'people.helper.is_not_sharing'; Handlebars.registerHelper("sharingMessage", function(person) { var i18nScope = "people.helper.is_not_sharing"; var icon = "circle"; if( person.is_sharing ) { i18n_scope = 'people.helper.is_sharing'; i18nScope = "people.helper.is_sharing"; icon = "entypo check"; } var title = Diaspora.I18n.t(i18n_scope, {name: person.name}); var title = Diaspora.I18n.t(i18nScope, {name: _.escape(person.name)}); var html = '<span class="sharing_message_container" title="'+title+'" data-placement="bottom">'+ ' <i id="sharing_message" class="'+icon+'"></i>'+ '</span>'; Loading spec/javascripts/app/helpers/handlebars-helpers_spec.js 0 → 100644 +12 −0 Original line number Diff line number Diff line describe("Handlebars helpers", function() { beforeEach(function() { Diaspora.I18n.load({people: {helper: {"is_not_sharing": "<%= name %> is not sharing with you"}}}); }); describe("sharingMessage", function() { it("escapes the person's name", function() { var person = { name: "\"><script>alert(0)</script> \"><script>alert(0)</script>"}; expect(Handlebars.helpers.sharingMessage(person)).not.toMatch(/<script>/); }); }); }); Loading
Changelog.md +4 −0 Original line number Diff line number Diff line # 0.5.5.1 * Fix XSS on profile pages # 0.5.5.0 ## Bug fixes Loading
app/assets/javascripts/app/helpers/handlebars-helpers.js +4 −4 Original line number Diff line number Diff line Loading @@ -42,15 +42,15 @@ Handlebars.registerHelper('linkToPerson', function(context, block) { }); // relationship indicator for profile page Handlebars.registerHelper('sharingMessage', function(person) { var i18n_scope = 'people.helper.is_not_sharing'; Handlebars.registerHelper("sharingMessage", function(person) { var i18nScope = "people.helper.is_not_sharing"; var icon = "circle"; if( person.is_sharing ) { i18n_scope = 'people.helper.is_sharing'; i18nScope = "people.helper.is_sharing"; icon = "entypo check"; } var title = Diaspora.I18n.t(i18n_scope, {name: person.name}); var title = Diaspora.I18n.t(i18nScope, {name: _.escape(person.name)}); var html = '<span class="sharing_message_container" title="'+title+'" data-placement="bottom">'+ ' <i id="sharing_message" class="'+icon+'"></i>'+ '</span>'; Loading
spec/javascripts/app/helpers/handlebars-helpers_spec.js 0 → 100644 +12 −0 Original line number Diff line number Diff line describe("Handlebars helpers", function() { beforeEach(function() { Diaspora.I18n.load({people: {helper: {"is_not_sharing": "<%= name %> is not sharing with you"}}}); }); describe("sharingMessage", function() { it("escapes the person's name", function() { var person = { name: "\"><script>alert(0)</script> \"><script>alert(0)</script>"}; expect(Handlebars.helpers.sharingMessage(person)).not.toMatch(/<script>/); }); }); });
