mirror of
https://github.com/discourse/discourse.git
synced 2024-12-13 20:03:51 +08:00
SECURITY: XSS with title selector on preferences page
Note this is very low severity as the group needs to be created with a default title that contains HTML, and group creation is restricted to staff members right now.
This commit is contained in:
parent
4fd470e63d
commit
d1c12539dd
|
@ -718,7 +718,9 @@ const User = RestModel.extend({
|
|||
}
|
||||
});
|
||||
|
||||
return _.uniq(titles).sort();
|
||||
return _.uniq(titles)
|
||||
.sort()
|
||||
.map(Ember.Handlebars.Utils.escapeExpression);
|
||||
},
|
||||
|
||||
@computed("user_option.text_size_seq", "user_option.text_size")
|
||||
|
|
Loading…
Reference in New Issue
Block a user