From 647395a504e989b59fff251e70e92bdefb6e2a4f Mon Sep 17 00:00:00 2001 From: JC Brand Date: Wed, 12 Jul 2017 22:38:03 +0200 Subject: [PATCH 1/2] Use a patched version of awesomplete... which doesn't render suggestions as HTML. See https://github.com/LeaVerou/awesomplete/pull/17082 --- CHANGES.md | 9 ++++++++- package.json | 2 +- src/config.js | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 86e169872..104f50801 100755 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,6 +1,13 @@ # Changelog -## 3.1.0 ((2017-07-05)) +## 3.1.1 (Unreleased) + +- Use a patched version of [awesomplete](https://github.com/LeaVerou/awesomplete) + which doesn't render suggestions as HTML (possible XSS attack vector). [jcbrand] + +More info here: https://github.com/LeaVerou/awesomplete/pull/17082 + +## 3.1.0 (2017-07-05) ### API changes - Deprecate the `updateSettings` method in favour of diff --git a/package.json b/package.json index c3d04e1cc..9df787f4f 100644 --- a/package.json +++ b/package.json @@ -33,7 +33,7 @@ }, "devDependencies": { "almond": "~0.3.3", - "awesomplete": "^1.1.1", + "awesomplete-avoid-xss": "^1.1.2", "backbone": "1.3.3", "backbone.browserStorage": "0.0.3", "backbone.overview": "0.0.3", diff --git a/src/config.js b/src/config.js index a27bb2dec..88402d43a 100644 --- a/src/config.js +++ b/src/config.js @@ -16,7 +16,7 @@ require.config({ baseUrl: '.', paths: { "almond": "node_modules/almond/almond", - "awesomplete": "node_modules/awesomplete/awesomplete", + "awesomplete": "node_modules/awesomplete-avoid-xss/awesomplete", "backbone": "node_modules/backbone/backbone", "backbone.noconflict": "src/backbone.noconflict", "backbone.browserStorage": "node_modules/backbone.browserStorage/backbone.browserStorage", From 7721275962cc006d74f58d38b767d8e351de8e29 Mon Sep 17 00:00:00 2001 From: JC Brand Date: Wed, 12 Jul 2017 22:51:56 +0200 Subject: [PATCH 2/2] New release v3.1.1 --- CHANGES.md | 2 +- Makefile | 21 +++++++++++---------- bower.json | 2 +- dist/converse-mobile.js | 23 +++++++++++++++++------ dist/converse-no-dependencies.js | 2 +- dist/converse.js | 23 +++++++++++++++++------ dist/inverse.js | 23 +++++++++++++++++------ docs/source/conf.py | 4 ++-- locale/converse.pot | 4 ++-- package.json | 2 +- src/start.frag | 2 +- 11 files changed, 71 insertions(+), 37 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 104f50801..482c6df4d 100755 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,6 +1,6 @@ # Changelog -## 3.1.1 (Unreleased) +## 3.1.1 ((2017-07-12)) - Use a patched version of [awesomplete](https://github.com/LeaVerou/awesomplete) which doesn't render suggestions as HTML (possible XSS attack vector). [jcbrand] diff --git a/Makefile b/Makefile index ea13a8b71..ffd15b107 100644 --- a/Makefile +++ b/Makefile @@ -13,6 +13,7 @@ PO2JSON ?= ./node_modules/.bin/po2json RJS ?= ./node_modules/.bin/r.js SASS ?= ./.bundle/bin/sass SPHINXBUILD ?= ./bin/sphinx-build +SED ?= sed SPHINXOPTS = # Internal variables. @@ -78,16 +79,16 @@ po2json: .PHONY: release release: - sed -ri s/Version:\ [0-9]\+\.[0-9]\+\.[0-9]\+/Version:\ $(VERSION)/ src/start.frag - sed -ri s/Project-Id-Version:\ Converse\.js\ [0-9]\+\.[0-9]\+\.[0-9]\+/Project-Id-Version:\ Converse.js\ $(VERSION)/ locale/converse.pot - sed -ri s/\"version\":\ \"[0-9]\+\.[0-9]\+\.[0-9]\+\"/\"version\":\ \"$(VERSION)\"/ bower.json - sed -ri s/\"version\":\ \"[0-9]\+\.[0-9]\+\.[0-9]\+\"/\"version\":\ \"$(VERSION)\"/ package.json - sed -ri s/--package-version=[0-9]\+\.[0-9]\+\.[0-9]\+/--package-version=$(VERSION)/ Makefile - sed -ri s/v[0-9]\+\.[0-9]\+\.[0-9]\+\.zip/v$(VERSION)\.zip/ index.html - sed -ri s/v[0-9]\+\.[0-9]\+\.[0-9]\+\.tar\.gz/v$(VERSION)\.tar\.gz/ index.html - sed -ri s/version\ =\ \'[0-9]\+\.[0-9]\+\.[0-9]\+\'/version\ =\ \'$(VERSION)\'/ docs/source/conf.py - sed -ri s/release\ =\ \'[0-9]\+\.[0-9]\+\.[0-9]\+\'/release\ =\ \'$(VERSION)\'/ docs/source/conf.py - sed -ri "s/(Unreleased)/(`date +%Y-%m-%d`)/" CHANGES.md + $(SED) -ri s/Version:\ [0-9]\+\.[0-9]\+\.[0-9]\+/Version:\ $(VERSION)/ src/start.frag + $(SED) -ri s/Project-Id-Version:\ Converse\.js\ [0-9]\+\.[0-9]\+\.[0-9]\+/Project-Id-Version:\ Converse.js\ $(VERSION)/ locale/converse.pot + $(SED) -ri s/\"version\":\ \"[0-9]\+\.[0-9]\+\.[0-9]\+\"/\"version\":\ \"$(VERSION)\"/ bower.json + $(SED) -ri s/\"version\":\ \"[0-9]\+\.[0-9]\+\.[0-9]\+\"/\"version\":\ \"$(VERSION)\"/ package.json + $(SED) -ri s/--package-version=[0-9]\+\.[0-9]\+\.[0-9]\+/--package-version=$(VERSION)/ Makefile + $(SED) -ri s/v[0-9]\+\.[0-9]\+\.[0-9]\+\.zip/v$(VERSION)\.zip/ index.html + $(SED) -ri s/v[0-9]\+\.[0-9]\+\.[0-9]\+\.tar\.gz/v$(VERSION)\.tar\.gz/ index.html + $(SED) -ri s/version\ =\ \'[0-9]\+\.[0-9]\+\.[0-9]\+\'/version\ =\ \'$(VERSION)\'/ docs/source/conf.py + $(SED) -ri s/release\ =\ \'[0-9]\+\.[0-9]\+\.[0-9]\+\'/release\ =\ \'$(VERSION)\'/ docs/source/conf.py + $(SED) -ri "s/(Unreleased)/`date +%Y-%m-%d`/" CHANGES.md make pot make po make po2json diff --git a/bower.json b/bower.json index a9a12dfd4..fa99e3aaf 100644 --- a/bower.json +++ b/bower.json @@ -1,7 +1,7 @@ { "name": "converse.js", "description": "Web-based XMPP/Jabber chat client written in javascript", - "version": "3.1.0", + "version": "3.1.1", "license": "MPL-2.0", "devDependencies": {}, "dependencies": {}, diff --git a/dist/converse-mobile.js b/dist/converse-mobile.js index 516494a35..2fd39b958 100644 --- a/dist/converse-mobile.js +++ b/dist/converse-mobile.js @@ -2,7 +2,7 @@ * * An XMPP chat client that runs in the browser. * - * Version: 3.1.0 + * Version: 3.1.1 */ /* jshint ignore:start */ @@ -51680,11 +51680,22 @@ _.SORT_BYLENGTH = function (a, b) { }; _.ITEM = function (text, input) { - var html = input.trim() === "" ? text : text.replace(RegExp($.regExpEscape(input.trim()), "gi"), "$&"); - return $.create("li", { - innerHTML: html, - "aria-selected": "false" - }); + input = input.trim(); + var element = document.createElement("li"); + element.setAttribute("aria-selected", "false"); + + var regex = new RegExp("("+input+")", "ig"); + var parts = input ? text.split(regex) : [text]; + parts.forEach(function (txt) { + if (input && txt.match(regex)) { + var match = document.createElement("mark"); + match.textContent = txt; + element.appendChild(match); + } else { + element.appendChild(document.createTextNode(txt)); + } + }); + return element; }; _.REPLACE = function (text) { diff --git a/dist/converse-no-dependencies.js b/dist/converse-no-dependencies.js index 2190b3145..1c8a6c5ed 100644 --- a/dist/converse-no-dependencies.js +++ b/dist/converse-no-dependencies.js @@ -2,7 +2,7 @@ * * An XMPP chat client that runs in the browser. * - * Version: 3.1.0 + * Version: 3.1.1 */ /* jshint ignore:start */ diff --git a/dist/converse.js b/dist/converse.js index 990330395..1166823f2 100644 --- a/dist/converse.js +++ b/dist/converse.js @@ -2,7 +2,7 @@ * * An XMPP chat client that runs in the browser. * - * Version: 3.1.0 + * Version: 3.1.1 */ /* jshint ignore:start */ @@ -55014,11 +55014,22 @@ _.SORT_BYLENGTH = function (a, b) { }; _.ITEM = function (text, input) { - var html = input.trim() === "" ? text : text.replace(RegExp($.regExpEscape(input.trim()), "gi"), "$&"); - return $.create("li", { - innerHTML: html, - "aria-selected": "false" - }); + input = input.trim(); + var element = document.createElement("li"); + element.setAttribute("aria-selected", "false"); + + var regex = new RegExp("("+input+")", "ig"); + var parts = input ? text.split(regex) : [text]; + parts.forEach(function (txt) { + if (input && txt.match(regex)) { + var match = document.createElement("mark"); + match.textContent = txt; + element.appendChild(match); + } else { + element.appendChild(document.createTextNode(txt)); + } + }); + return element; }; _.REPLACE = function (text) { diff --git a/dist/inverse.js b/dist/inverse.js index 563fd6637..13a9af8c7 100644 --- a/dist/inverse.js +++ b/dist/inverse.js @@ -2,7 +2,7 @@ * * An XMPP chat client that runs in the browser. * - * Version: 3.1.0 + * Version: 3.1.1 */ /* jshint ignore:start */ @@ -55014,11 +55014,22 @@ _.SORT_BYLENGTH = function (a, b) { }; _.ITEM = function (text, input) { - var html = input.trim() === "" ? text : text.replace(RegExp($.regExpEscape(input.trim()), "gi"), "$&"); - return $.create("li", { - innerHTML: html, - "aria-selected": "false" - }); + input = input.trim(); + var element = document.createElement("li"); + element.setAttribute("aria-selected", "false"); + + var regex = new RegExp("("+input+")", "ig"); + var parts = input ? text.split(regex) : [text]; + parts.forEach(function (txt) { + if (input && txt.match(regex)) { + var match = document.createElement("mark"); + match.textContent = txt; + element.appendChild(match); + } else { + element.appendChild(document.createTextNode(txt)); + } + }); + return element; }; _.REPLACE = function (text) { diff --git a/docs/source/conf.py b/docs/source/conf.py index 8a208e6c3..45b090553 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -48,9 +48,9 @@ copyright = u'2014, JC Brand' # built documents. # # The short X.Y version. -version = '3.1.0' +version = '3.1.1' # The full version, including alpha/beta/rc tags. -release = '3.1.0' +release = '3.1.1' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/locale/converse.pot b/locale/converse.pot index fe167677c..76827e54b 100644 --- a/locale/converse.pot +++ b/locale/converse.pot @@ -6,9 +6,9 @@ #, fuzzy msgid "" msgstr "" -"Project-Id-Version: Converse.js 3.1.0\n" +"Project-Id-Version: Converse.js 3.1.1\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2017-07-05 09:57+0000\n" +"POT-Creation-Date: 2017-07-12 22:49+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" diff --git a/package.json b/package.json index 9df787f4f..87ca39a98 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "converse.js", - "version": "3.1.0", + "version": "3.1.1", "description": "Browser based XMPP instant messaging client", "main": "main.js", "directories": { diff --git a/src/start.frag b/src/start.frag index 936b8d793..61331ce6d 100644 --- a/src/start.frag +++ b/src/start.frag @@ -2,7 +2,7 @@ * * An XMPP chat client that runs in the browser. * - * Version: 3.1.0 + * Version: 3.1.1 */ /* jshint ignore:start */