Don't expose the Strophe connection object globally.

Instead, expose only the initialize and onConnected functions.
Updated the tests to work with this.

CHANGES.rst

@@ -1,6 +1,11 @@
 Changelog
 =========
 
+0.5.2 (Unreleased)
+------------------
+
+- Important security update. Don't expose the Strophe connection object globally. [jcbrand]
+
 0.5.1 (2013-08-04)
 ------------------
 

converse.js

@@ -43,6 +43,7 @@
     var converse = {};
     converse.initialize = function (settings) {
         // Default values
+        var converse = this;
         this.animate = true;
         this.auto_list_rooms = false;
         this.auto_subscribe = false;
@@ -54,15 +55,14 @@
         this.xhr_user_search = false;
         _.extend(this, settings);
 
-
-        var __ = function (str) {
-            var t = converse.i18n.translate(str);
+        var __ = $.proxy(function (str) {
+            var t = this.i18n.translate(str);
             if (arguments.length>1) {
                 return t.fetch.apply(t, [].slice.call(arguments,1));
             } else {
                 return t.fetch();
             }
-        };
+        }, this);
         this.msg_counter = 0;
         this.autoLink = function (text) {
             // Convert URLs into hyperlinks
@@ -2646,7 +2646,7 @@
                 },this));
                 this.giveFeedback(__('Online Contacts'));
                 if (callback) {
-                    callback();
+                    callback(this);
                 }
             }, this));
         };
@@ -2664,5 +2664,13 @@
             this.toggleControlBox();
         }
     };
-    return converse;
+    return {
+        'initialize': function (settings) {
+            converse.initialize(settings);
+        },
+        'onConnected': function (connection, callback) { 
+            // onConnected can only be called after initialize has been called.
+            converse.onConnected(connection, callback);
+        }
+    };
 }));

index.html

@@ -19,8 +19,8 @@
         <h1 id="project_title"><a href="http://conversejs.org">Converse.js</a></h1>
         <h2 id="project_tagline">An XMPP chat client for your website</h2>
         <section id="downloads">
-            <a class="zip_download_link" href="https://github.com/jcbrand/converse.js/archive/v0.5.1.zip">Download the latest release as a .zip file</a>
-            <a class="tar_download_link" href="https://github.com/jcbrand/converse.js/archive/v0.5.1.tar.gz">Download the latest release as a tar.gz file</a>
+            <a class="zip_download_link" href="https://github.com/jcbrand/converse.js/archive/v0.5.2.zip">Download the latest release as a .zip file</a>
+            <a class="tar_download_link" href="https://github.com/jcbrand/converse.js/archive/v0.5.2.tar.gz">Download the latest release as a tar.gz file</a>
         </section>
     </header>
     </div>
@@ -29,7 +29,7 @@
     <div id="main_content_wrap" class="outer">
     <section id="main_content" class="inner">
 
-    <p><strong>Converse.js</strong> is an open source, webchat client, that
+    <p><strong>Converse.js</strong> is an open source webchat client, that
     runs in the browser and can be integrated into any website.</p>
 
     <p>It's similar to <a href="https://www.facebook.com/sitetour/chat.php" target="_blank">Facebook chat</a>, but also supports multi-user chatrooms.</p>

spec/ChatRoomSpec.js

@@ -1,12 +1,11 @@
 (function (root, factory) {
     define([
-        "converse",
         "mock"
-        ], function (converse, mock_connection) {
-            return factory(converse, mock_connection);
+        ], function (mock_connection) {
+            return factory(mock_connection);
         }
     );
-} (this, function (converse, mock_connection) {
+} (this, function (mock_connection) {
     return describe("ChatRooms", $.proxy(function() {
         var chatroom_names = [
             'Dyon van de Wege', 'Thomas Kalb', 'Dirk Theissen', 'Felix Hofmann', 'Ka Lek', 'Anne Ebersbacher'

spec/MainSpec.js

@@ -1,13 +1,12 @@
 (function (root, factory) {
     define([
-        "converse",
         "mock"
-        ], function (converse, mock_connection) {
-            return factory(converse, mock_connection);
+        ], function (mock_connection) {
+            return factory(mock_connection);
         }
     );
-} (this, function (converse, mock_connection) {
-    return describe("Converse.js", $.proxy(function() {
+} (this, function (mock_connection) {
+    return describe("Converse.js", function() {
         // Names from http://www.fakenamegenerator.com/
         var req_names = [
             'Louw Spekman', 'Mohamad Stet', 'Dominik Beyer'
@@ -651,5 +650,5 @@
                 }, converse));
             }, converse));
         }, converse));
-    }, converse));
+    });
 }));

test_minified.html

@@ -7,8 +7,8 @@
     <link rel="shortcut icon" type="image/png" href="components/jasmine/images/jasmine_favicon.png">
     <link rel="stylesheet" type="text/css" href="components/jasmine/src/html/jasmine.css">
     <link rel="stylesheet" type="text/css" media="screen" href="stylesheets/stylesheet.css">
-    <link rel="stylesheet" type="text/css" media="screen" href="converse-0.5.0.min.css">
-    <script src="converse-0.5.0.min.js"></script>
+    <link rel="stylesheet" type="text/css" media="screen" href="converse.min.css">
+    <script src="converse.min.js"></script>
     <script src="components/jasmine/lib/jasmine-core/jasmine.js"></script>
     <script src="components/jasmine/lib/jasmine-core/jasmine-html.js"></script>
     <script src="node_modules/jasmine-reporters/src/jasmine.console_reporter.js"></script>
@@ -33,83 +33,91 @@
     </div>
 
 <script>
-    require([
-        'converse',
-        "spec/MainSpec",
-        "spec/ChatRoomSpec"], 
-    function (converse) {
-        var mock_connection = {
-            'muc': {
-                'listRooms': function () {},
-                'join': function () {},
-                'leave': function () {},
-                'removeRoom': function () {},
-                'rooms': {}
-            },
-            'jid': 'dummy@localhost',
-            'addHandler': function (handler, ns, name, type, id, from, options) {
-                return function () {};
-            },
-            'send': function () {},
-            'roster': {
-                'add': function () {},
-                'authorize': function () {},
-                'unauthorize': function () {},
-                'get': function () {},
-                'subscribe': function () {},
-                'registerCallback': function () {}
-            },
-            'vcard': {
-                'get': function (callback, jid) {
-                    var firstname, lastname;
-                    if (!jid) {
-                        jid = 'dummy@localhost';
-                        firstname = 'Max';
-                        lastname = 'Mustermann';
-                    } else {
-                        var name = jid.split('@')[0].replace('.', ' ').split(' ');
-                        firstname = name[0].charAt(0).toUpperCase()+name[0].slice(1);
-                        lastname = name[1].charAt(0).toUpperCase()+name[1].slice(1);
-                    }
-                    var fullname = firstname+' '+lastname;
-                    var vcard = $iq().c('vCard').c('FN').t(fullname);
-                    callback(vcard.tree());
+    var mock_connection = {
+        'muc': {
+            'listRooms': function () {},
+            'join': function () {},
+            'leave': function () {},
+            'removeRoom': function () {},
+            'rooms': {}
+        },
+        'jid': 'dummy@localhost',
+        'addHandler': function (handler, ns, name, type, id, from, options) {
+            return function () {};
+        },
+        'send': function () {},
+        'roster': {
+            'add': function () {},
+            'authorize': function () {},
+            'unauthorize': function () {},
+            'get': function () {},
+            'subscribe': function () {},
+            'registerCallback': function () {}
+        },
+        'vcard': {
+            'get': function (callback, jid) {
+                var firstname, lastname;
+                if (!jid) {
+                    jid = 'dummy@localhost';
+                    firstname = 'Max';
+                    lastname = 'Mustermann';
+                } else {
+                    var name = jid.split('@')[0].replace('.', ' ').split(' ');
+                    firstname = name[0].charAt(0).toUpperCase()+name[0].slice(1);
+                    lastname = name[1].charAt(0).toUpperCase()+name[1].slice(1);
                 }
-            },
-            'disco': {
-                'info': function () {},
-                'items': function () {}
+                var fullname = firstname+' '+lastname;
+                var vcard = $iq().c('vCard').c('FN').t(fullname);
+                callback(vcard.tree());
             }
-        };
-
-        // Set up converse.js
-        window.localStorage.clear();
-        converse.initialize({
-            prebind: false,
-            xhr_user_search: false,
-            auto_subscribe: false,
-            animate: false
-        });
-        converse.onConnected(mock_connection);
-
-        // Jasmine stuff
-        var jasmineEnv = jasmine.getEnv();
-        if (/PhantomJS/.test(navigator.userAgent)) {
-            jasmineEnv.addReporter(new jasmine.TrivialReporter());
-            jasmineEnv.addReporter(new jasmine.JUnitXmlReporter('./test-reports/'));
-            jasmineEnv.addReporter(new jasmine.ConsoleReporter());
-            jasmineEnv.updateInterval = 0;
-        } else {
-            var htmlReporter = new jasmine.HtmlReporter();
-            jasmineEnv.addReporter(htmlReporter);
-            jasmineEnv.addReporter(new jasmine.ConsoleReporter());
-            jasmineEnv.specFilter = function(spec) {
-                return htmlReporter.specFilter(spec);
-            };
-            jasmineEnv.updateInterval = 200;
+        },
+        'disco': {
+            'info': function () {},
+            'items': function () {}
+        }
+    };
+    require([
+        "jquery",
+        "converse",
+        ], function($, converse) {
+            // Set up converse.js
+            window.localStorage.clear();
+            converse.initialize({
+                prebind: false,
+                xhr_user_search: false,
+                auto_subscribe: false,
+                animate: false
+            });
+            converse.onConnected(
+                mock_connection, 
+                function (converse) {
+                    window.converse = converse;
+                    require([
+                        "spec/MainSpec",
+                        "spec/ChatRoomSpec"
+                    ], function () {
+                        // Jasmine stuff
+                        var jasmineEnv = jasmine.getEnv();
+                        if (/PhantomJS/.test(navigator.userAgent)) {
+                            jasmineEnv.addReporter(new jasmine.TrivialReporter());
+                            jasmineEnv.addReporter(new jasmine.JUnitXmlReporter('./test-reports/'));
+                            jasmineEnv.addReporter(new jasmine.ConsoleReporter());
+                            jasmineEnv.updateInterval = 0;
+                        } else {
+                            var htmlReporter = new jasmine.HtmlReporter();
+                            jasmineEnv.addReporter(htmlReporter);
+                            jasmineEnv.addReporter(new jasmine.ConsoleReporter());
+                            jasmineEnv.specFilter = function(spec) {
+                                return htmlReporter.specFilter(spec);
+                            };
+                            jasmineEnv.updateInterval = 200;
+                        }
+                        jasmineEnv.execute();
+                    });
+                }
+            );
         }
-        jasmineEnv.execute();
-    });
+    );
 </script>
 </body>
 </html>

tests_main.js

@@ -60,37 +60,45 @@ require([
     "jquery",
     "converse",
     "mock",
-    "jasmine-html",
-    "jasmine-console-reporter",
-    "jasmine-junit-reporter",
-    "spec/MainSpec",
-    "spec/ChatRoomSpec"
+    "jasmine-html"
     ], function($, converse, mock_connection, jasmine) {
-
-    // Set up converse.js
-    window.localStorage.clear();
-    converse.initialize({
-        prebind: false,
-        xhr_user_search: false,
-        auto_subscribe: false,
-        animate: false
-    });
-
-    // Jasmine stuff
-    var jasmineEnv = jasmine.getEnv();
-    if (/PhantomJS/.test(navigator.userAgent)) {
-        jasmineEnv.addReporter(new jasmine.TrivialReporter());
-        jasmineEnv.addReporter(new jasmine.JUnitXmlReporter('./test-reports/'));
-        jasmineEnv.addReporter(new jasmine.ConsoleReporter());
-        jasmineEnv.updateInterval = 0;
-    } else {
-        var htmlReporter = new jasmine.HtmlReporter();
-        jasmineEnv.addReporter(htmlReporter);
-        jasmineEnv.addReporter(new jasmine.ConsoleReporter());
-        jasmineEnv.specFilter = function(spec) {
-            return htmlReporter.specFilter(spec);
-        };
-        jasmineEnv.updateInterval = 200;
+        // Set up converse.js
+        window.localStorage.clear();
+        converse.initialize({
+            prebind: false,
+            xhr_user_search: false,
+            auto_subscribe: false,
+            animate: false
+        });
+        converse.onConnected(
+            mock_connection, 
+            function (converse) {
+                window.converse = converse;
+                require([
+                    "jasmine-console-reporter",
+                    "jasmine-junit-reporter",
+                    "spec/MainSpec",
+                    "spec/ChatRoomSpec"
+                ], function () {
+                    // Jasmine stuff
+                    var jasmineEnv = jasmine.getEnv();
+                    if (/PhantomJS/.test(navigator.userAgent)) {
+                        jasmineEnv.addReporter(new jasmine.TrivialReporter());
+                        jasmineEnv.addReporter(new jasmine.JUnitXmlReporter('./test-reports/'));
+                        jasmineEnv.addReporter(new jasmine.ConsoleReporter());
+                        jasmineEnv.updateInterval = 0;
+                    } else {
+                        var htmlReporter = new jasmine.HtmlReporter();
+                        jasmineEnv.addReporter(htmlReporter);
+                        jasmineEnv.addReporter(new jasmine.ConsoleReporter());
+                        jasmineEnv.specFilter = function(spec) {
+                            return htmlReporter.specFilter(spec);
+                        };
+                        jasmineEnv.updateInterval = 200;
+                    }
+                    jasmineEnv.execute();
+                });
+            }
+        );
     }
-    converse.onConnected(mock_connection, $.proxy(jasmineEnv.execute, jasmineEnv));
-});
+);