Merge pull request mozilla#627 from mozilla/production

Merge hotfix from Production
brianloveswords · Feb 25, 2013 · f94cde8 · f94cde8
2 parents d287bca + 66f1ea6
commit f94cde8
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 11 deletions.
diff --git a/controllers/demo.js b/controllers/demo.js
@@ -89,7 +89,7 @@ function makeDemoAssertion(email, image, title, description) {
     badge: {
       version: 'v0.5.0',
       name: 'DEMO: ' + (title || 'Open Badges Demo Badge'),
-      description: description || "For rocking in the free world",
+      description: description || 'For rocking in the "free world"',
       image: image,
       criteria: '/demo/criteria',
       issuer: {

diff --git a/middleware.js b/middleware.js
@@ -5,7 +5,7 @@ var configuration = require('./lib/configuration');
 var logger = require('./lib/logging').logger;
 var crypto = require('crypto');
 var User = require('./models/user');
-    
+
 // `COOKIE_SECRET` is randomly generated on the first run of the server,
 // then stored to a file and looked up on restart to maintain state.
 // See the `secrets.js` for more information.
@@ -48,28 +48,29 @@ exports.userFromSession = function userFromSession() {
   return function (req, res, next) {
     var email = '';
     var emailRe = /^.+?\@.+?\.*$/;
-    
+
     if (!req.session) {
       logger.debug('could not find session');
       return next();
     }
-    
+
     if (!req.session.emails) {
       return next();
     }
-    
+
     email = req.session.emails[0];
-    
+
     if (!emailRe.test(email)) {
       logger.warn('req.session.emails does not contain valid user: ' + email);
       req.session = {};
       return req.next();
     }
-    
+
     User.findOrCreate(email, function (err, user) {
       if (err) {
         logger.error("Problem finding/creating user:");
         logger.error(err);
+        return next(err);
       }
       req.user = res.locals.user = user;
       return next();
@@ -115,7 +116,7 @@ exports.csrf = function (options) {
   var list = options.whitelist;
   return function (req, res, next) {
     if (whitelisted(list, req.url)) return next();
-    
+
     var token = req.session._csrf || (req.session._csrf = utils.uid(24));
     if ('GET' == req.method || 'HEAD' == req.method) return next();
     var val = value(req);

diff --git a/models/badge.js b/models/badge.js
@@ -32,6 +32,9 @@ Badge.confirmRecipient = function confirmRecipient(assertion, email) {
   if (!recipient || !email)
     return false;
 
+  if (typeof recipient !== 'string')
+    return false
+
   // if it's an email address, do a straight comparison
   if (/@/.test(recipient))
     return recipient === email;

diff --git a/views/backpack.html b/views/backpack.html
@@ -26,7 +26,7 @@ <h1>No badges.  Better get out there and start earning some!</h1>
     <h1><span data-title="Badges" data-content="These are the badges you've earned so far! Click on one to see its details." rel="popover">Badges{% if tooltips %}<i class="icon-info-sign"></i>{% endif %}</span></h1>
     <div id="badges" class="js-badges">
       {% for badge in badges %}
-        <span draggable="true" class="openbadge" data-id="{{badge.attributes.id}}" rel="popinfo" data-title="{{badge.attributes.body.badge.name}}" data-content="<span>{{badge.attributes.body.badge.description}}</span><span>Issuer: {{badge.attributes.body.badge.issuer.name}}</span>">
+        <span draggable="true" class="openbadge" data-id="{{badge.attributes.id}}" rel="popinfo" data-title="{{badge.attributes.body.badge.name|escape}}" data-content="<span>{{badge.attributes.body.badge.description|escape}}</span><span>Issuer: {{badge.attributes.body.badge.issuer.name|escape}}</span>">
           <img src="{{badge.attributes.image_path}}" width="64px"/>
         </span>
       {% endfor %}
@@ -67,7 +67,7 @@ <h1><span rel="popover" data-title="Groups" data-content="You can drag-and-drop
         </span>
 
           {% for badge in group.attributes.badgeObjects %}
-            <span draggable="true" class="openbadge" data-id="{{badge.attributes.id}}" rel="popinfo" data-title="{{badge.attributes.body.badge.name}}" data-content="<span>{{badge.attributes.body.badge.description}}</span><span>Issuer: {{badge.attributes.body.badge.issuer.name}}</span>">
+            <span draggable="true" class="openbadge" data-id="{{badge.attributes.id}}" rel="popinfo" data-title="{{badge.attributes.body.badge.name|escape}}" data-content="<span>{{badge.attributes.body.badge.description|escape}}</span><span>Issuer: {{badge.attributes.body.badge.issuer.name|escape}}</span>">
               <img src="{{badge.attributes.image_path}}" width="64px"/>
             </span>
           {% endfor %}

diff --git a/views/badges_partial.html b/views/badges_partial.html
@@ -1,3 +1,3 @@
-<span draggable="true" class="openbadge" data-id="{{id}}" rel="popinfo" data-title="{{body.badge.name}}" data-content="<span>{{body.badge.description}}</span><span>Issuer: {{body.badge.issuer.name}}</span>">
+<span draggable="true" class="openbadge" data-id="{{id}}" rel="popinfo" data-title="{{body.badge.name|escape}}" data-content="<span>{{body.badge.description|escape}}</span><span>Issuer: {{body.badge.issuer.name|escape}}</span>">
   <img src="{{image_path}}" width="64px"/>
 </span>