From 6646b23569e2cd1e395f90b46664c7657520ce88 Mon Sep 17 00:00:00 2001
From: Sam Saffron <sam.saffron@gmail.com>
Date: Tue, 16 Sep 2014 07:53:17 +1000
Subject: [PATCH] SECURITY: Escape strings in logs

---
 app/assets/javascripts/admin/models/staff_action_log.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/assets/javascripts/admin/models/staff_action_log.js b/app/assets/javascripts/admin/models/staff_action_log.js
index e4fc6ecaa62..3b2f2a733fc 100644
--- a/app/assets/javascripts/admin/models/staff_action_log.js
+++ b/app/assets/javascripts/admin/models/staff_action_log.js
@@ -22,14 +22,14 @@ Discourse.StaffActionLog = Discourse.Model.extend({
       formatted += this.format('admin.logs.staff_actions.previous_value', 'previous_value');
     }
     if (!this.get('useModalForDetails')) {
-      if (this.get('details')) formatted += this.get('details') + '<br/>';
+      if (this.get('details')) formatted += Handlebars.Utils.escapeExpression(this.get('details')) + '<br/>';
     }
     return formatted;
   }.property('ip_address', 'email'),
 
   format: function(label, propertyName) {
     if (this.get(propertyName)) {
-      return ('<b>' + I18n.t(label) + ':</b> ' + this.get(propertyName) + '<br/>');
+      return ('<b>' + I18n.t(label) + ':</b> ' + Handlebars.Utils.escapeExpression(this.get(propertyName)) + '<br/>');
     } else {
       return '';
     }