Merge pull request lokka#213 from morygonzalez/fix-admin-xss

Fix potentially XSS on admin/comments#index

public/admin/comments/index.haml

@@ -12,7 +12,7 @@
       - status = case comment.status; when Comment::APPROVED; t('comment_approved'); when Comment::MODERATED; t('comment_moderated'); when Comment::SPAM; t('comment_spam'); end
       %td= status
       %td.body= link_to truncate(strip_tags(comment.body)), url(comment.link)
-      %td= comment.name
+      %td= h(comment.name)
       %td= l(comment.created_at, :format => :long)
       %td= link_to t('edit'), url("/admin/comments/#{comment.id}/edit"), :class => 'button'
       %td= link_to t('delete'), url("/admin/comments/#{comment.id}"), :class => 'button', :confirm => t('are_you_sure'), :method => :delete

spec/integration/admin/comments_spec.rb

@@ -89,4 +89,17 @@
       it_behaves_like 'a not found page'
     end
   end
+
+  context "When <xmp> tag is used in comment author's name" do
+    before do
+      @comment.update(name: "<xmp>")
+    end
+
+    context "GET /admin/comments" do
+      it "should escape html tag" do
+        get "/admin/comments"
+        last_response.body.should match(/&lt;xmp&gt;/)
+      end
+    end
+  end
 end