fix XSS vulnerability in conversations#new, closes #4010v0.0.3.2

4 files changed, 14 insertions, 2 deletions

diff --git a/Changelog.md b/Changelog.md
index 26c1b2c6a..6c4640a11 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,3 +1,7 @@
+# 0.0.3.2
+
+* Fix XSS vulnerability in conversations#new [#4010](https://github.com/diaspora/diaspora/issues/4010)
+
 # 0.0.3.1
 
 * exec foreman in ./script/server to replace the process so that we can Ctrl+C it again.
diff --git a/app/views/conversations/new.haml b/app/views/conversations/new.haml
index afab424df..484534866 100644
--- a/app/views/conversations/new.haml
+++ b/app/views/conversations/new.haml
@@ -20,7 +20,7 @@
       keyDelay: 0,
       startText: '',
       emptyText: '#{t('no_results')}',
-      preFill: [{name : "#{params[:name]}",
+      preFill: [{name : "#{h params[:name]}",
                  value : "#{@contact_ids}"}]
       });
     autocompleteInput.focus();
diff --git a/config/defaults.yml b/config/defaults.yml
index 5bb2bb70f..e2afeb29f 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -4,7 +4,7 @@
 
 defaults:
   version:
-    number: "0.0.3.1"
+    number: "0.0.3.2"
   heroku: false
   environment:
     url: "http://localhost:3000/"
diff --git a/spec/controllers/conversations_controller_spec.rb b/spec/controllers/conversations_controller_spec.rb
index a0963bcf8..60e3bf739 100644
--- a/spec/controllers/conversations_controller_spec.rb
+++ b/spec/controllers/conversations_controller_spec.rb
@@ -33,6 +33,14 @@ describe ConversationsController do
       get :new, :aspect_id => alice.aspects.first.id
       assigns(:contact_ids).should == alice.aspects.first.contacts.map(&:id).join(',')
     end
+
+    it "does not allow XSS via the name parameter" do
+      ["</script><script>alert(1);</script>",
+       '"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss|
+        get :new, name: xss
+        response.body.should_not include xss
+      end
+    end
   end
 
   describe '#index' do