CVE-2014-3995

@@ -5,13 +5,17 @@ version 0.8.3 (6-June-2014):
 		  Users could construct a name that would allow for injecting
 		  JavaScript in the page. That name is now properly escaped.
 
+		  This is CVE-2014-3995.
+
 		* Fixed a XSS issue in json_dumps.
 
 		  JSON payloads constructed based on user input and then injected into
 		  a page could result in custom JavaScript being injected into the
 		  page. Additional escaping is now performed to ensure this does not
 		  happen.
 
+		  This is CVE-2014-3994 (discovered by "uchida", bug #3406).
+
 
 version 0.8.2 (2-June-2014):
 	* Packaging:

@@ -5,13 +5,17 @@ version 0.7.30 final (6-June-2014):
 		  Users could construct a name that would allow for injecting
 		  JavaScript in the page. That name is now properly escaped.
 
+		  This is CVE-2014-3995.
+
 		* Fixed a XSS issue in json_dumps.
 
 		  JSON payloads constructed based on user input and then injected into
 		  a page could result in custom JavaScript being injected into the
 		  page. Additional escaping is now performed to ensure this does not
 		  happen.
 
+		  This is CVE-2014-3994 (discovered by "uchida", bug #3406).
+
 
 version 0.7.29 final (9-April-2014):
 	* djblets.webapi:

@@ -25,6 +25,7 @@
 from __future__ import unicode_literals
 
 from django import template
+from django.utils.html import format_html
 
 from djblets.gravatars import (get_gravatar_url,
                                get_gravatar_url_for_email)
@@ -55,9 +56,10 @@ def gravatar(context, user, size=None):
     url = get_gravatar_url(context['request'], user, size)
 
     if url:
-        return ('<img src="%s" width="%s" height="%s" alt="%s" '
-                '     class="gravatar"/>' %
-                (url, size, size, user.get_full_name() or user.username))
+        return format_html(
+            '<img src="{0}" width="{1}" height="{1}" alt="{2}" '
+            'class="gravatar"/>',
+            url, size, user.get_full_name() or user.username)
     else:
         return ''
 

@@ -0,0 +1,34 @@
+from __future__ import unicode_literals
+
+from django.contrib.auth.models import User
+from django.template import Token, TOKEN_TEXT
+
+from djblets.testing.testcases import TagTest
+from djblets.gravatars.templatetags.gravatars import gravatar
+
+
+class DummyRequest(object):
+    def is_secure(self):
+        return False
+
+
+class TagTests(TagTest):
+    """Unit tests for gravatars template tags."""
+    def test_gravatar_xss(self):
+        """Testing {% gravatar %} doesn't allow XSS injection"""
+        user = User(username='test',
+                    first_name='"><script>alert(1);</script><"',
+                    email='test@example.com')
+
+        node = gravatar(self.parser, Token(TOKEN_TEXT, 'gravatar user 32'))
+        context = {
+            'request': DummyRequest(),
+            'user': user,
+        }
+
+        self.assertEqual(
+            node.render(context),
+            '<img src="http://www.gravatar.com/avatar/'
+            '55502f40dc8b7c769880b10874abc9d0?s=32" width="32" height="32" '
+            'alt="&quot;&gt;&lt;script&gt;alert(1);&lt;/script&gt;&lt;&quot;" '
+            'class="gravatar"/>')