From 515024a0acbae61692d8bea541b076d73c3a9d66 Mon Sep 17 00:00:00 2001
From: Guo Xiang Tan <tgx_world@hotmail.com>
Date: Thu, 11 Aug 2016 11:15:00 +0800
Subject: [PATCH] SECURITY: Escape image title in lightbox.

---
 app/assets/javascripts/discourse/lib/lightbox.js.es6 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/discourse/lib/lightbox.js.es6 b/app/assets/javascripts/discourse/lib/lightbox.js.es6
index 96630d05059..4f6f0d8451d 100644
--- a/app/assets/javascripts/discourse/lib/lightbox.js.es6
+++ b/app/assets/javascripts/discourse/lib/lightbox.js.es6
@@ -1,4 +1,5 @@
 import loadScript from 'discourse/lib/load-script';
+import { escapeExpression } from 'discourse/lib/utilities';
 
 export default function($elem) {
   $("a.lightbox", $elem).each(function(i, e) {
@@ -33,7 +34,7 @@ export default function($elem) {
         image: {
           titleSrc(item) {
             const href = item.el.data("download-href") || item.src;
-            let src = [item.el.attr("title"), $("span.informations", item.el).text().replace('x', '&times;')];
+            let src = [escapeExpression(item.el.attr("title")), $("span.informations", item.el).text().replace('x', '&times;')];
             if (!Discourse.SiteSettings.prevent_anons_from_downloading_files || Discourse.User.current()) {
               src.push('<a class="image-source-link" href="' + href + '">' + I18n.t("lightbox.download") + '</a>');
             }