From cf450f1e4f5f2317e64291487bfccd89a2b243bf Mon Sep 17 00:00:00 2001
From: Petteri Räty <betelgeuse@gentoo.org>
Date: Tue, 2 Aug 2011 23:32:04 +0300
Subject: Fix two XSS injections

The EmailAddress problem was submitted upstream to hobo.
---
 app/views/taglibs/views.dryml        | 2 +-
 config/initializers/email_address.rb | 9 +++++++++
 spec/models/user_spec.rb             | 5 +++++
 3 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 config/initializers/email_address.rb

diff --git a/app/views/taglibs/views.dryml b/app/views/taglibs/views.dryml
index c4bcd89..c5be181 100644
--- a/app/views/taglibs/views.dryml
+++ b/app/views/taglibs/views.dryml
@@ -10,7 +10,7 @@
   <%= this.content.to_html %>
   <ul>
     <repeat:options>
-      <li><%=this.content%></li>
+      <li><%= h this.content%></li>
     </repeat>
   </ul>
 </def>
diff --git a/config/initializers/email_address.rb b/config/initializers/email_address.rb
new file mode 100644
index 0000000..02e48cb
--- /dev/null
+++ b/config/initializers/email_address.rb
@@ -0,0 +1,9 @@
+require 'hobo_fields/email_address'
+
+class HoboFields::EmailAddress
+  def to_html_with_escape(xmldoctype = true)
+    ERB::Util.h to_html_without_escape xmldoctype
+  end
+
+  alias_method_chain :to_html, :escape
+end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index e6724d8..7552a1e 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -8,6 +8,11 @@ describe User do
     new_user.role.should  == :recruit
   end
 
+  it "should escape emails" do
+    u = User.new :email_address => "<script>alert('foo')<script>@foo.com"
+    u.email_address.to_html.should == "&lt;script&gt;alert('foo')&lt;script&gt; at foo dot com"
+  end
+
   it { should allow_value(:mentor).for(:role) }
   it { should allow_value(:recruiter).for(:role) }
 
-- 
cgit v1.2.3-65-gdbad