Merge branch 'master' into stable

Nighoo · Dec 19, 2015 · c238329 · c238329
2 parents 2025fae + 9cb4b73
commit c238329
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 9 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -11,6 +11,11 @@
 
 ## Features
 
+# 0.5.5.1
+
+* Fix XSS on profile pages
+* Bump nokogiri to fix several libxml2 CVEs, see http://www.ubuntu.com/usn/usn-2834-1/
+
 # 0.5.5.0
 
 ## Bug fixes

diff --git a/Gemfile b/Gemfile
@@ -126,7 +126,7 @@ gem "messagebus_ruby_api", "1.0.3"
 
 # Parsing
 
-gem "nokogiri",          "1.6.6.4"
+gem "nokogiri",          "1.6.7.1"
 gem "redcarpet",         "3.3.3"
 gem "twitter-text",      "1.13.0"
 gem "roxml",             "3.1.6"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -436,7 +436,7 @@ GEM
     method_source (0.8.2)
     mime-types (2.6.2)
     mini_magick (4.3.6)
-    mini_portile (0.6.2)
+    mini_portile2 (2.0.0)
     minitest (5.8.2)
     mobile-fu (1.3.1)
       rack-mobile-detect
@@ -453,8 +453,8 @@ GEM
       net-ssh (>= 2.6.5)
     net-ssh (3.0.1)
     nio4r (1.1.1)
-    nokogiri (1.6.6.4)
-      mini_portile (~> 0.6.0)
+    nokogiri (1.6.7.1)
+      mini_portile2 (~> 2.0.0.rc2)
     notiffany (0.0.8)
       nenv (~> 0.1)
       shellany (~> 0.0)
@@ -817,7 +817,7 @@ DEPENDENCIES
   minitest
   mobile-fu (= 1.3.1)
   mysql2 (= 0.3.20)
-  nokogiri (= 1.6.6.4)
+  nokogiri (= 1.6.7.1)
   omniauth (= 1.2.2)
   omniauth-facebook (= 2.0.1)
   omniauth-tumblr (= 1.1)

diff --git a/app/assets/javascripts/app/helpers/handlebars-helpers.js b/app/assets/javascripts/app/helpers/handlebars-helpers.js
@@ -42,15 +42,15 @@ Handlebars.registerHelper('linkToPerson', function(context, block) {
 });
 
 // relationship indicator for profile page
-Handlebars.registerHelper('sharingMessage', function(person) {
-  var i18n_scope = 'people.helper.is_not_sharing';
+Handlebars.registerHelper("sharingMessage", function(person) {
+  var i18nScope = "people.helper.is_not_sharing";
   var icon = "circle";
   if( person.is_sharing ) {
-    i18n_scope = 'people.helper.is_sharing';
+    i18nScope = "people.helper.is_sharing";
     icon = "entypo check";
   }
 
-  var title = Diaspora.I18n.t(i18n_scope, {name: person.name});
+  var title = Diaspora.I18n.t(i18nScope, {name: _.escape(person.name)});
   var html = '<span class="sharing_message_container" title="'+title+'" data-placement="bottom">'+
              '  <i id="sharing_message" class="'+icon+'"></i>'+
              '</span>';

diff --git a/spec/javascripts/app/helpers/handlebars-helpers_spec.js b/spec/javascripts/app/helpers/handlebars-helpers_spec.js
@@ -0,0 +1,12 @@
+describe("Handlebars helpers", function() {
+  beforeEach(function() {
+    Diaspora.I18n.load({people: {helper: {"is_not_sharing": "<%= name %> is not sharing with you"}}});
+  });
+
+  describe("sharingMessage", function() {
+    it("escapes the person's name", function() {
+      var person = { name: "\"><script>alert(0)</script> \"><script>alert(0)</script>"};
+      expect(Handlebars.helpers.sharingMessage(person)).not.toMatch(/<script>/);
+    });
+  });
+});