diff options
author | Jonne Haß <me@jhass.eu> | 2014-10-03 19:12:11 +0400 |
---|---|---|
committer | Jonne Haß <me@jhass.eu> | 2014-10-03 19:12:11 +0400 |
commit | a5ca738e91fc82a96e2d2f754b5f9c5b6f1323ca (patch) | |
tree | c672317350ab61f1342df022092ed683f68b43f4 | |
parent | dcb0d8dd58e8283746c590702a459b2709339b7c (diff) |
Fix XSS issue in poll questionsv0.4.1.1
closes #5274
-rw-r--r-- | Changelog.md | 4 | ||||
-rw-r--r-- | app/assets/templates/poll_tpl.jst.hbs | 6 | ||||
-rw-r--r-- | config/defaults.yml | 2 | ||||
-rw-r--r-- | spec/javascripts/app/views/poll_view_spec.js | 9 |
4 files changed, 17 insertions, 4 deletions
diff --git a/Changelog.md b/Changelog.md index 9c56bddc5..9c0c976da 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,3 +1,7 @@ +# 0.4.1.1 + +* Fix XSS issue in poll questions [#5274](https://github.com/diaspora/diaspora/issues/5274) + # 0.4.1.0 ## New 'Terms of Service' feature and template diff --git a/app/assets/templates/poll_tpl.jst.hbs b/app/assets/templates/poll_tpl.jst.hbs index 20def69b1..f9aad7f18 100644 --- a/app/assets/templates/poll_tpl.jst.hbs +++ b/app/assets/templates/poll_tpl.jst.hbs @@ -1,7 +1,7 @@ {{#if poll}} <div class="poll_form"> <div class="row-fluid poll_head"> - <strong>{{{poll.question}}}</strong> + <strong>{{poll.question}}</strong> <div class="poll_statistic pull-right"> {{t "poll.count" count=poll.participation_count}} </div> @@ -12,13 +12,13 @@ {{#poll.poll_answers}} <label class="radio result-row"> <input type="radio" name="vote" value="{{id}}"/> - {{answer}} + {{answer}} <span class="percentage pull-right" style="display: none;"></span> <div class="poll_progress_bar_wrapper progress" style="display: none"> <div class="poll_progress_bar bar" data-answerid="{{id}}"> </div> </div> - </label> + </label> {{/poll.poll_answers}} <div class="toggle_result_wrapper"> <a class="toggle_result" href="#">{{t "poll.show_result"}}</a> diff --git a/config/defaults.yml b/config/defaults.yml index c68d47847..743f03e40 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -4,7 +4,7 @@ defaults: version: - number: "0.4.1.0" # Do not touch unless doing a release, do not backport the version number that's in master but keep develop to always say "head" + number: "0.4.1.1" # Do not touch unless doing a release, do not backport the version number that's in master but keep develop to always say "head" heroku: false environment: url: "http://localhost:3000/" diff --git a/spec/javascripts/app/views/poll_view_spec.js b/spec/javascripts/app/views/poll_view_spec.js index 1fa4442dd..bbb2dccad 100644 --- a/spec/javascripts/app/views/poll_view_spec.js +++ b/spec/javascripts/app/views/poll_view_spec.js @@ -35,6 +35,15 @@ describe("app.views.Poll", function(){ }) }); + describe("render", function() { + it("escapes the poll question", function() { + var question = "<script>alert(0);</script>"; + this.view.poll.question = question; + this.view.render(); + expect(this.view.$('.poll_head strong').text()).toBe(question); + }); + }); + describe("vote form", function(){ it('show vote form when user is logged in and not voted before', function(){ expect(this.view.$('form').length).toBe(1); |