Permalink
Browse files

fix XSS vulnerability in conversations#new, closes #4010

  • Loading branch information...
1 parent 4a92508 commit d6ff67fde2e4b48e83f3ec17714740d133c90b6a @jhass jhass committed Feb 26, 2013
Showing with 14 additions and 2 deletions.
  1. +4 −0 Changelog.md
  2. +1 −1 app/views/conversations/new.haml
  3. +1 −1 config/defaults.yml
  4. +8 −0 spec/controllers/conversations_controller_spec.rb
View
@@ -1,3 +1,7 @@
+# 0.0.3.2
+
+* Fix XSS vulnerability in conversations#new [#4010](https://github.com/diaspora/diaspora/issues/4010)
+
# 0.0.3.1
* exec foreman in ./script/server to replace the process so that we can Ctrl+C it again.
@@ -20,7 +20,7 @@
keyDelay: 0,
startText: '',
emptyText: '#{t('no_results')}',
- preFill: [{name : "#{params[:name]}",
+ preFill: [{name : "#{h params[:name]}",
value : "#{@contact_ids}"}]
});
autocompleteInput.focus();
View
@@ -4,7 +4,7 @@
defaults:
version:
- number: "0.0.3.1"
+ number: "0.0.3.2"
heroku: false
environment:
url: "http://localhost:3000/"
@@ -33,6 +33,14 @@
get :new, :aspect_id => alice.aspects.first.id
assigns(:contact_ids).should == alice.aspects.first.contacts.map(&:id).join(',')
end
+
+ it "does not allow XSS via the name parameter" do
+ ["</script><script>alert(1);</script>",
+ '"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss|
+ get :new, name: xss
+ response.body.should_not include xss
+ end
+ end
end
describe '#index' do

0 comments on commit d6ff67f

Please sign in to comment.