Changelog, blog post for 0.5.2, 0.4.2

CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.5.2, 0.4.2 (December 18, 2013)
+
+### React
+
+* Fixed a potential XSS vulnerability when using user content as a `key`: [CVE-2013-7035](https://groups.google.com/forum/#!topic/reactjs/OIqxlB2aGfU)
+
+
 ## 0.5.1 (October 29, 2013)
 
 ### React

README.md

@@ -36,12 +36,12 @@ The fastest way to get started is to serve JavaScript from the CDN (also availab
 
 ```html
 <!-- The core React library -->
-<script src="http://fb.me/react-0.5.1.js"></script>
+<script src="http://fb.me/react-0.5.2.js"></script>
 <!-- In-browser JSX transformer, remove when pre-compiling JSX. -->
-<script src="http://fb.me/JSXTransformer-0.5.1.js"></script>
+<script src="http://fb.me/JSXTransformer-0.5.2.js"></script>
 ```
 
-We've also built a [starter kit](http://facebook.github.io/react/downloads/react-0.5.1.zip) which might be useful if this is your first time using React. It includes a webpage with an example of using React with live code.
+We've also built a [starter kit](http://facebook.github.io/react/downloads/react-0.5.2.zip) which might be useful if this is your first time using React. It includes a webpage with an example of using React with live code.
 
 If you'd like to use [bower](http://bower.io), it's as easy as:
 

docs/_config.yml

@@ -13,7 +13,7 @@ redcarpet:
 pygments: true
 name: React
 markdown: redcarpet
-react_version: 0.5.1
+react_version: 0.5.2
 description: A JavaScript library for building user interfaces
 relative_permalinks: true
 paginate: 5

docs/_posts/2013-12-18-react-v0.5.2-v0.4.2.md

@@ -0,0 +1,23 @@
+---
+title: "React v0.5.2, v0.4.2"
+layout: post
+author: Paul O'Shannessy
+---
+
+Today we're releasing an update to address a potential XSS vulnerability that can	 arise when using user data as a `key`. Typically "safe" data is used for a `key`, for example, an id from your database, or a unique hash. However there are cases where it may be reasonable to use user generated content. A carefully crafted piece of content could result in arbitrary JS execution. While we make a very concerted effort to ensure all text is escaped before inserting it into the DOM, we missed one case. Immediately following the discovery of this vulnerability, we performed an audit to ensure we this was the only such vulnerability.
+
+This only affects v0.5.x and v0.4.x. Versions in the 0.3.x family are unaffected.
+
+Updated versions are available for immediate download via npm, bower, and on our [download page][download].
+
+We take security very seriously at Facebook. For most of our products, users don't need to know that a security issue has been fixed. But with libraries like React, we need to make sure developers using React have access to fixes to keep their users safe.
+
+While we've encouraged responsible disclosure as part of [Facebook's whitehat bounty program][bounty] since we launched, we don't have a good process for notifying our users. Hopefully we don't need to use it, but moving forward we'll set up a little bit more process to ensure the safety of our users. Ember.js has [an excellent policy][ember] which we may use as our model.
+
+You can learn more about the vulnerability discussed here: [CVE-2013-7035][cve].
+
+[download]: http://facebook.github.io/react/downloads.html
+[bounty]: https://www.facebook.com/whitehat/
+[ember]: http://emberjs.com/security/
+[cve]: https://groups.google.com/forum/#!topic/reactjs/OIqxlB2aGfU
+

package.json

@@ -1,6 +1,6 @@
 {
   "name": "react-tools",
-  "version": "0.5.1",
+  "version": "0.5.2",
   "keywords": [
     "react",
     "jsx",

src/core/React.js

@@ -66,6 +66,6 @@ var React = {
 
 // Version exists only in the open-source version of React, not in Facebook's
 // internal version.
-React.version = '0.5.1';
+React.version = '0.5.2';
 
 module.exports = React;

src/core/ReactTextComponent.js

@@ -65,7 +65,7 @@ mixInto(ReactTextComponent, {
       mountDepth
     );
     return (
-      '<span ' + ReactMount.ATTR_NAME + '="' + rootID + '">' +
+      '<span ' + ReactMount.ATTR_NAME + '="' + escapeTextForBrowser(rootID) + '">' +
         escapeTextForBrowser(this.props.text) +
       '</span>'
     );