Browse files

Merge pull request #627 from mozilla/production

Merge hotfix from Production
  • Loading branch information...
2 parents d287bca + 66f1ea6 commit f94cde808aa67e6d2a135a7a9a81db829deb13fd @brianloveswords committed Feb 25, 2013
Showing with 15 additions and 11 deletions.
  1. +1 −1 controllers/demo.js
  2. +8 −7 middleware.js
  3. +3 −0 models/badge.js
  4. +2 −2 views/backpack.html
  5. +1 −1 views/badges_partial.html
View
2 controllers/demo.js
@@ -89,7 +89,7 @@ function makeDemoAssertion(email, image, title, description) {
badge: {
version: 'v0.5.0',
name: 'DEMO: ' + (title || 'Open Badges Demo Badge'),
- description: description || "For rocking in the free world",
+ description: description || 'For rocking in the "free world"',
image: image,
criteria: '/demo/criteria',
issuer: {
View
15 middleware.js
@@ -5,7 +5,7 @@ var configuration = require('./lib/configuration');
var logger = require('./lib/logging').logger;
var crypto = require('crypto');
var User = require('./models/user');
-
+
// `COOKIE_SECRET` is randomly generated on the first run of the server,
// then stored to a file and looked up on restart to maintain state.
// See the `secrets.js` for more information.
@@ -48,28 +48,29 @@ exports.userFromSession = function userFromSession() {
return function (req, res, next) {
var email = '';
var emailRe = /^.+?\@.+?\.*$/;
-
+
if (!req.session) {
logger.debug('could not find session');
return next();
}
-
+
if (!req.session.emails) {
return next();
}
-
+
email = req.session.emails[0];
-
+
if (!emailRe.test(email)) {
logger.warn('req.session.emails does not contain valid user: ' + email);
req.session = {};
return req.next();
}
-
+
User.findOrCreate(email, function (err, user) {
if (err) {
logger.error("Problem finding/creating user:");
logger.error(err);
+ return next(err);
}
req.user = res.locals.user = user;
return next();
@@ -115,7 +116,7 @@ exports.csrf = function (options) {
var list = options.whitelist;
return function (req, res, next) {
if (whitelisted(list, req.url)) return next();
-
+
var token = req.session._csrf || (req.session._csrf = utils.uid(24));
if ('GET' == req.method || 'HEAD' == req.method) return next();
var val = value(req);
View
3 models/badge.js
@@ -32,6 +32,9 @@ Badge.confirmRecipient = function confirmRecipient(assertion, email) {
if (!recipient || !email)
return false;
+ if (typeof recipient !== 'string')
+ return false
+
// if it's an email address, do a straight comparison
if (/@/.test(recipient))
return recipient === email;
View
4 views/backpack.html
@@ -26,7 +26,7 @@ <h4 class="alert-heading">Welcome to your Badge Backpack!</h4>
<h1><span data-title="Badges" data-content="These are the badges you've earned so far! Click on one to see its details." rel="popover">Badges{% if tooltips %}<i class="icon-info-sign"></i>{% endif %}</span></h1>
<div id="badges" class="js-badges">
{% for badge in badges %}
- <span draggable="true" class="openbadge" data-id="{{badge.attributes.id}}" rel="popinfo" data-title="{{badge.attributes.body.badge.name}}" data-content="<span>{{badge.attributes.body.badge.description}}</span><span>Issuer: {{badge.attributes.body.badge.issuer.name}}</span>">
+ <span draggable="true" class="openbadge" data-id="{{badge.attributes.id}}" rel="popinfo" data-title="{{badge.attributes.body.badge.name|escape}}" data-content="<span>{{badge.attributes.body.badge.description|escape}}</span><span>Issuer: {{badge.attributes.body.badge.issuer.name|escape}}</span>">
<img src="{{badge.attributes.image_path}}" width="64px"/>
</span>
{% endfor %}
@@ -67,7 +67,7 @@ <h4 class="alert-heading">Welcome to your Badge Backpack!</h4>
</span>
{% for badge in group.attributes.badgeObjects %}
- <span draggable="true" class="openbadge" data-id="{{badge.attributes.id}}" rel="popinfo" data-title="{{badge.attributes.body.badge.name}}" data-content="<span>{{badge.attributes.body.badge.description}}</span><span>Issuer: {{badge.attributes.body.badge.issuer.name}}</span>">
+ <span draggable="true" class="openbadge" data-id="{{badge.attributes.id}}" rel="popinfo" data-title="{{badge.attributes.body.badge.name|escape}}" data-content="<span>{{badge.attributes.body.badge.description|escape}}</span><span>Issuer: {{badge.attributes.body.badge.issuer.name|escape}}</span>">
<img src="{{badge.attributes.image_path}}" width="64px"/>
</span>
{% endfor %}
View
2 views/badges_partial.html
@@ -1,3 +1,3 @@
-<span draggable="true" class="openbadge" data-id="{{id}}" rel="popinfo" data-title="{{body.badge.name}}" data-content="<span>{{body.badge.description}}</span><span>Issuer: {{body.badge.issuer.name}}</span>">
+<span draggable="true" class="openbadge" data-id="{{id}}" rel="popinfo" data-title="{{body.badge.name|escape}}" data-content="<span>{{body.badge.description|escape}}</span><span>Issuer: {{body.badge.issuer.name|escape}}</span>">
<img src="{{image_path}}" width="64px"/>
</span>

0 comments on commit f94cde8

Please sign in to comment.