fix potential xss vulnerability if a user has dangerous values in their data

Author: benmcredmond

lib/intercom-rails/script_tag.rb

@@ -1,5 +1,6 @@
-require "active_support/json"
-require "active_support/core_ext/hash/indifferent_access"
+require 'active_support/json'
+require 'active_support/core_ext/hash/indifferent_access'
+require 'active_support/core_ext/string/output_safety'
 
 module IntercomRails
 
@@ -36,9 +37,11 @@ def intercom_settings
     end
 
     def output
+      intercom_settings_json = ActiveSupport::JSON.encode(intercom_settings).gsub('<', '\u003C')
+
       str = <<-INTERCOM_SCRIPT
 <script id="IntercomSettingsScriptTag">
-  window.intercomSettings = #{ActiveSupport::JSON.encode(intercom_settings)};
+  window.intercomSettings = #{intercom_settings_json};
 </script>
 <script>(function(){var w=window;var ic=w.Intercom;if(typeof ic==="function"){ic('reattach_activator');ic('update',intercomSettings);}else{var d=document;var i=function(){i.c(arguments)};i.q=[];i.c=function(args){i.q.push(args)};w.Intercom=i;function l(){var s=d.createElement('script');s.type='text/javascript';s.async=true;s.src='#{Config.library_url || 'https://api.intercom.io/api/js/library.js'}';var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);}if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}};})()</script>
       INTERCOM_SCRIPT

test/intercom-rails/script_tag_test.rb

@@ -102,4 +102,10 @@ def test_company_discovery_and_inclusion
     assert_equal expected_company, script_tag.intercom_settings[:company]
   end
 
+  def test_escapes_html_attributes
+    nasty_email = "</script><script>alert('sup?');</script>"
+    script_tag = ScriptTag.new(:user_details => {:email => nasty_email})
+    assert !script_tag.output.include?(nasty_email), "script tag included"
+  end
+
 end