diff options
author | Jonne Haß <me@mrzyx.de> | 2013-02-26 21:44:49 +0400 |
---|---|---|
committer | Jonne Haß <me@mrzyx.de> | 2013-02-26 22:06:01 +0400 |
commit | d6ff67fde2e4b48e83f3ec17714740d133c90b6a (patch) | |
tree | a4dd1255a1ae37cfb7f409f5133d93188285789f | |
parent | 4a92508281c5e16c584192a22b28fdfa6c13843a (diff) |
fix XSS vulnerability in conversations#new, closes #4010v0.0.3.2
-rw-r--r-- | Changelog.md | 4 | ||||
-rw-r--r-- | app/views/conversations/new.haml | 2 | ||||
-rw-r--r-- | config/defaults.yml | 2 | ||||
-rw-r--r-- | spec/controllers/conversations_controller_spec.rb | 8 |
4 files changed, 14 insertions, 2 deletions
diff --git a/Changelog.md b/Changelog.md index 26c1b2c6a..6c4640a11 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,3 +1,7 @@ +# 0.0.3.2 + +* Fix XSS vulnerability in conversations#new [#4010](https://github.com/diaspora/diaspora/issues/4010) + # 0.0.3.1 * exec foreman in ./script/server to replace the process so that we can Ctrl+C it again. diff --git a/app/views/conversations/new.haml b/app/views/conversations/new.haml index afab424df..484534866 100644 --- a/app/views/conversations/new.haml +++ b/app/views/conversations/new.haml @@ -20,7 +20,7 @@ keyDelay: 0, startText: '', emptyText: '#{t('no_results')}', - preFill: [{name : "#{params[:name]}", + preFill: [{name : "#{h params[:name]}", value : "#{@contact_ids}"}] }); autocompleteInput.focus(); diff --git a/config/defaults.yml b/config/defaults.yml index 5bb2bb70f..e2afeb29f 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -4,7 +4,7 @@ defaults: version: - number: "0.0.3.1" + number: "0.0.3.2" heroku: false environment: url: "http://localhost:3000/" diff --git a/spec/controllers/conversations_controller_spec.rb b/spec/controllers/conversations_controller_spec.rb index a0963bcf8..60e3bf739 100644 --- a/spec/controllers/conversations_controller_spec.rb +++ b/spec/controllers/conversations_controller_spec.rb @@ -33,6 +33,14 @@ describe ConversationsController do get :new, :aspect_id => alice.aspects.first.id assigns(:contact_ids).should == alice.aspects.first.contacts.map(&:id).join(',') end + + it "does not allow XSS via the name parameter" do + ["</script><script>alert(1);</script>", + '"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss| + get :new, name: xss + response.body.should_not include xss + end + end end describe '#index' do |