Merge branch 'master' into stable

c238329c · Dennis Schubert · 2025fae4 · 9cb4b732 · c238329c · c238329c
--- a/Changelog.md
+++ b/Changelog.md
@@ -11,6 +11,11 @@

 ## Features

+# 0.5.5.1
+
+* Fix XSS on profile pages
+* Bump nokogiri to fix several libxml2 CVEs, see http://www.ubuntu.com/usn/usn-2834-1/
+
 # 0.5.5.0

 ## Bug fixes

--- a/Gemfile
+++ b/Gemfile
@@ -126,7 +126,7 @@ gem "messagebus_ruby_api", "1.0.3"

 # Parsing

-gem "nokogiri",          "1.6.6.4"
+gem "nokogiri",          "1.6.7.1"
 gem "redcarpet",         "3.3.3"
 gem "twitter-text",      "1.13.0"
 gem "roxml",             "3.1.6"

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -436,7 +436,7 @@ GEM
    method_source (0.8.2)
    mime-types (2.6.2)
    mini_magick (4.3.6)
-    mini_portile (0.6.2)
+    mini_portile2 (2.0.0)
    minitest (5.8.2)
    mobile-fu (1.3.1)
      rack-mobile-detect
@@ -453,8 +453,8 @@ GEM
      net-ssh (>= 2.6.5)
    net-ssh (3.0.1)
    nio4r (1.1.1)
-    nokogiri (1.6.6.4)
-      mini_portile (~> 0.6.0)
+    nokogiri (1.6.7.1)
+      mini_portile2 (~> 2.0.0.rc2)
    notiffany (0.0.8)
      nenv (~> 0.1)
      shellany (~> 0.0)
@@ -817,7 +817,7 @@ DEPENDENCIES
  minitest
  mobile-fu (= 1.3.1)
  mysql2 (= 0.3.20)
-  nokogiri (= 1.6.6.4)
+  nokogiri (= 1.6.7.1)
  omniauth (= 1.2.2)
  omniauth-facebook (= 2.0.1)
  omniauth-tumblr (= 1.1)

--- a/app/assets/javascripts/app/helpers/handlebars-helpers.js
+++ b/app/assets/javascripts/app/helpers/handlebars-helpers.js
@@ -42,15 +42,15 @@ Handlebars.registerHelper('linkToPerson', function(context, block) {
 });

 // relationship indicator for profile page
-Handlebars.registerHelper('sharingMessage', function(person) {
-  var i18n_scope = 'people.helper.is_not_sharing';
+Handlebars.registerHelper("sharingMessage", function(person) {
+  var i18nScope = "people.helper.is_not_sharing";
  var icon = "circle";
  if( person.is_sharing ) {
-    i18n_scope = 'people.helper.is_sharing';
+    i18nScope = "people.helper.is_sharing";
    icon = "entypo check";
  }

-  var title = Diaspora.I18n.t(i18n_scope, {name: person.name});
+  var title = Diaspora.I18n.t(i18nScope, {name: _.escape(person.name)});
  var html = '<span class="sharing_message_container" title="'+title+'" data-placement="bottom">'+
             '  <i id="sharing_message" class="'+icon+'"></i>'+
             '</span>';

--- a/spec/javascripts/app/helpers/handlebars-helpers_spec.js
+++ b/spec/javascripts/app/helpers/handlebars-helpers_spec.js
+describe("Handlebars helpers", function() {
+  beforeEach(function() {
+    Diaspora.I18n.load({people: {helper: {"is_not_sharing": "<%= name %> is not sharing with you"}}});
+  });
+
+  describe("sharingMessage", function() {
+    it("escapes the person's name", function() {
+      var person = { name: "\"><script>alert(0)</script> \"><script>alert(0)</script>"};
+      expect(Handlebars.helpers.sharingMessage(person)).not.toMatch(/<script>/);
+    });
+  });
+});