Merge branch '760-XSS-with-person-name' of https://github.com/Dorian/diaspora...

Merge branch '760-XSS-with-person-name' of https://github.com/Dorian/diaspora into Dorian-760-XSS-with-person-name

Merge branch '760-XSS-with-person-name' of https://github.com/Dorian/diaspora...
6ba2e0b6 · MrZYX · 2f135f25 · 5cbccda3 · 6ba2e0b6 · 6ba2e0b6
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -124,7 +124,7 @@ module ApplicationHelper
  end

  def person_image_tag(person, size=:thumb_small)
-    "<img alt='#{person.name}' class='avatar' data-person_id='#{person.id}' src='#{image_or_default(person, size)}' title='#{person.name}'>".html_safe
+    "<img alt=\"#{h(person.name)}\" class=\"avatar\" data-person_id=\"#{person.id}\" src=\"#{image_or_default(person, size)}\" title=\"#{h(person.name)}\">".html_safe
  end

  def person_link(person)

--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@@ -41,6 +41,14 @@ describe ApplicationHelper do
      person_image_link(@person).should include(person_path(@person))
    end
  end
+  
+  describe "#person_image_tag" do
+    it "should not allow basic XSS/HTML" do
+      @person.profile.first_name = "I'm <h1>Evil"
+      @person.profile.last_name = "I'm <h1>Evil"
+      person_image_tag(@person).should_not include("<h1>")
+    end
+  end

  describe "markdownify" do
    describe "autolinks" do