From 554e5c848228371d9fd6e1d042a5ea2101792484 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Wed, 2 Jul 2014 19:55:27 -0400
Subject: [PATCH] XSS: Escape the custom title (admin only) when displaying
 group titles.

---
 app/assets/javascripts/discourse/components/poster-name.js.es6 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/assets/javascripts/discourse/components/poster-name.js.es6 b/app/assets/javascripts/discourse/components/poster-name.js.es6
index ebeaacc3454..583a423b726 100644
--- a/app/assets/javascripts/discourse/components/poster-name.js.es6
+++ b/app/assets/javascripts/discourse/components/poster-name.js.es6
@@ -37,6 +37,7 @@ var PosterNameComponent = Em.Component.extend({
       var title = post.get('user_title');
       if (!Em.isEmpty(title)) {
 
+        title = Handlebars.Utils.escapeExpression(title);
         buffer.push('<span class="user-title">');
         if (Em.isEmpty(primaryGroupName)) {
           buffer.push(title);