From e4d190d856e4e1aecf5483b3249f064677abaf11 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Mon, 1 Apr 2013 12:01:27 -0400
Subject: [PATCH] XSS fix for category descriptions

---
 .../javascripts/discourse/components/utilities.js   | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/app/assets/javascripts/discourse/components/utilities.js b/app/assets/javascripts/discourse/components/utilities.js
index 4d3773de828..496d339ed7d 100644
--- a/app/assets/javascripts/discourse/components/utilities.js
+++ b/app/assets/javascripts/discourse/components/utilities.js
@@ -39,19 +39,18 @@ Discourse.Utilities = {
 
   // Create a badge like category link
   categoryLink: function(category) {
-    var color, textColor, name, description, result;
     if (!category) return "";
 
-    color = Em.get(category, 'color');
-    textColor = Em.get(category, 'text_color');
-    name = Em.get(category, 'name');
-    description = Em.get(category, 'description');
+    var color = Em.get(category, 'color');
+    var textColor = Em.get(category, 'text_color');
+    var name = Em.get(category, 'name');
+    var description = Em.get(category, 'description');
 
     // Build the HTML link
-    result = "<a href=\"" + Discourse.getURL("/category/") + this.categoryUrlId(category) + "\" class=\"badge-category\" ";
+    var result = "<a href=\"" + Discourse.getURL("/category/") + this.categoryUrlId(category) + "\" class=\"badge-category\" ";
 
     // Add description if we have it
-    if (description) result += "title=\"" + description + "\" ";
+    if (description) result += "title=\"" + Handlebars.Utils.escapeExpression(description) + "\" ";
 
     return result + "style=\"background-color: #" + color + "; color: #" + textColor + ";\">" + name + "</a>";
   },