github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-23 01:04:27 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: escape input of forgot password form before rendering it back to you

Browse Source
This commit is contained in:
Neil Lalonde 2014-07-15 17:19:28 -04:00
parent 7dade2cd99
commit 82bdef2047
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/assets/javascripts/discourse/controllers/forgot-password.js.es6
View File

@ -24,10 +24,11 @@ export default Discourse.Controller.extend(Discourse.ModalFunctionality, {
}); });
// don't tell people what happened, this keeps it more secure (ensure same on server) // don't tell people what happened, this keeps it more secure (ensure same on server)
var escaped = Handlebars.Utils.escapeExpression(this.get('accountEmailOrUsername'));
if (this.get('accountEmailOrUsername').match(/@/)) { if (this.get('accountEmailOrUsername').match(/@/)) {
this.flash(I18n.t('forgot_password.complete_email', {email: this.get('accountEmailOrUsername')})); this.flash(I18n.t('forgot_password.complete_email', {email: escaped}));
} else { } else {
this.flash(I18n.t('forgot_password.complete_username', {username: this.get('accountEmailOrUsername')})); this.flash(I18n.t('forgot_password.complete_username', {username: escaped}));
} }
return false; return false;
} }