From de289ee5d3eaad63dc4e3c49b8a1c750283fa3da Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Tue, 30 Sep 2014 03:03:00 -0500
Subject: [PATCH] Fix XSS in /artist_versions.

1) Put `<script>alert("xss 1")</script>` in the Other Names field in an
   artist entry.
2) Put `<script>alert("xss 2")</script>` in the URLs field.
3) Trick someone into the viewing the history page for that artist.
---
 app/helpers/artist_versions_helper.rb | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/helpers/artist_versions_helper.rb b/app/helpers/artist_versions_helper.rb
index e9efe98fc..24d1f2527 100644
--- a/app/helpers/artist_versions_helper.rb
+++ b/app/helpers/artist_versions_helper.rb
@@ -3,13 +3,13 @@ module ArtistVersionsHelper
     diff = artist_version.other_names_diff(artist_version.previous)
     html = []
     diff[:added_names].each do |name|
-      html << '<ins>' + name + '</ins>'
+      html << '<ins>' + h(name) + '</ins>'
     end
     diff[:removed_names].each do |name|
-      html << '<del>' + name + '</del>'
+      html << '<del>' + h(name) + '</del>'
     end
     diff[:unchanged_names].each do |name|
-      html << '<span>' + name + '</span>'
+      html << '<span>' + h(name) + '</span>'
     end
     return html.join(" ").html_safe
   end
@@ -18,13 +18,13 @@ module ArtistVersionsHelper
     diff = artist_version.urls_diff(artist_version.previous)
     html = []
     diff[:added_urls].each do |url|
-      html << '<li><ins>' + url + '</ins></li>'
+      html << '<li><ins>' + h(url) + '</ins></li>'
     end
     diff[:removed_urls].each do |url|
-      html << '<li><del>' + url + '</del></li>'
+      html << '<li><del>' + h(url) + '</del></li>'
     end
     diff[:unchanged_urls].each do |url|
-      html << '<li><span>' + url + '</span></li>'
+      html << '<li><span>' + h(url) + '</span></li>'
     end
     return html.join(" ").html_safe
   end