Tim Abbott 65b9d9e0f3 CVE-2018-9990: Fix XSS issue with stream names in topic typeahead. ...

Zulip's search typeahead had a security bug, where when autocompleting
a specially crafted stream name, and then hitting space, code within
the stream name would be executed.

Zulip was doing HTML escaping correctly in the main code path using
Filter.describe to describe a narrow, but the escaping function was
not called in a few parallel code paths.  We fix this in a way that
should protect all of these code paths, by making Filter.describe
return properly escaped HTML, rather than depending on its callers to
do so.

Thanks to w2w for reporting this issue.

2018-04-12 09:46:54 -07:00

..

casper_lib

hotkeys: Replace C with x for composing PM.

2018-04-01 16:13:05 -07:00

casper_tests

custom fields: Clean custom fields to use existing defined function.

2018-04-12 09:40:09 -07:00

node_tests

CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.

2018-04-12 09:46:54 -07:00

zjsunit

zjquery: Enforce only one arg for $(...) function.

2018-04-05 10:46:45 -04:00

.eslintrc.json

lint: Clean up json_rules logic for tab-based whitespace.

2017-11-23 12:01:20 -08:00

run-casper

casper tests: Show the server output inline.

2018-01-16 13:25:19 -05:00