mirror of
https://github.com/discourse/discourse.git
synced 2024-11-29 04:03:57 -06:00
SECURITY: XSS with title selector on preferences page
Note this is very low severity as the group needs to be created with a default title that contains HTML, and group creation is restricted to staff members right now.
This commit is contained in:
parent
6e22499e5f
commit
629bb8adf2
@ -748,7 +748,9 @@ const User = RestModel.extend({
|
||||
}
|
||||
});
|
||||
|
||||
return _.uniq(titles).sort();
|
||||
return _.uniq(titles)
|
||||
.sort()
|
||||
.map(Ember.Handlebars.Utils.escapeExpression);
|
||||
},
|
||||
|
||||
@computed("user_option.text_size_seq", "user_option.text_size")
|
||||
|
Loading…
Reference in New Issue
Block a user