From 1ad5eb86bba40317ff97c7bb6b40b0371dd2c1d9 Mon Sep 17 00:00:00 2001
From: Jenni Nurmi <jenni@sharetribe.com>
Date: Tue, 26 Nov 2019 14:02:42 +0200
Subject: [PATCH 1/3] Replace '<' with unicode equivalent in script tag

---
 src/components/Page/Page.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/components/Page/Page.js b/src/components/Page/Page.js
index 701783f5b..cee20b5e5 100644
--- a/src/components/Page/Page.js
+++ b/src/components/Page/Page.js
@@ -197,7 +197,9 @@ class PageComponent extends Component {
           <meta httpEquiv="Content-Type" content="text/html; charset=UTF-8" />
           <meta httpEquiv="Content-Language" content={intl.locale} />
           {metaTags}
-          <script type="application/ld+json">{schemaArrayJSONString}</script>
+          <script type="application/ld+json">
+            {schemaArrayJSONString.replace(/</g, '\\u003c')}
+          </script>
         </Helmet>
         <CookieConsent />
         <div

From 59db9cb808552ff3bf546505f221ed64c318788d Mon Sep 17 00:00:00 2001
From: Jenni Nurmi <jenni@sharetribe.com>
Date: Tue, 26 Nov 2019 14:04:58 +0200
Subject: [PATCH 2/3] Update changelog

---
 CHANGELOG.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f4099ab77..1fe134b3c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,9 +17,23 @@ https://github.com/sharetribe/flex-template-web/
 
 ## Upcoming version 2019-XX-XX
 
+## [v5.0.2] 2019-11-26
+
+- [fix] Fix XSS-vulnerability on SearchPage where URL param 'address' was exposed directly to
+  schema, which is just a script tag: <script type="application/ld+json">. On server-side, this
+  could leak malformed HTML through to browsers and made it possible to inject own script tags.
+
+However, CSP prevents any data breach: injected js can't send data to unknonwn 3rd party sites.
+
+NOTE: Check that `REACT_APP_CSP` is in block mode on your production environment. You can read more
+from Flex docs: https://www.sharetribe.com/docs/guides/how-to-set-up-csp-for-ftw/
+[#62](https://github.com/sharetribe/ftw-hourly/pull/62)
+
 - [fix] Add missing translation key EditListingDescriptionPanel.createListingTitle and change link
   name in UserNav. [#62](https://github.com/sharetribe/ftw-hourly/pull/62)
 
+[v5.0.2]: https://github.com/sharetribe/ftw-hourly/compare/v5.0.1...v5.0.2
+
 ## [v5.0.1] 2019-11-22
 
 - [fix] Fix proptype validation error for initialized date object for FieldDateInput

From 9d2ed601a46a394de28852dd5ca9311950da5a63 Mon Sep 17 00:00:00 2001
From: Jenni Nurmi <jenni@sharetribe.com>
Date: Tue, 26 Nov 2019 14:05:15 +0200
Subject: [PATCH 3/3] Update package.json

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 465d1a99c..8489c58cc 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "app",
-  "version": "v5.0.1",
+  "version": "v5.0.2",
   "private": true,
   "license": "Apache-2.0",
   "dependencies": {