From d1c12539dd95fe6095fbb03436490282cb833843 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Tue, 9 Jul 2019 15:45:03 -0400
Subject: [PATCH] SECURITY: XSS with title selector on preferences page

Note this is very low severity as the group needs to be created with a
default title that contains HTML, and group creation is restricted to
staff members right now.
---
 app/assets/javascripts/discourse/models/user.js.es6 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/discourse/models/user.js.es6 b/app/assets/javascripts/discourse/models/user.js.es6
index b9064d13f62..9f4a6bd0148 100644
--- a/app/assets/javascripts/discourse/models/user.js.es6
+++ b/app/assets/javascripts/discourse/models/user.js.es6
@@ -718,7 +718,9 @@ const User = RestModel.extend({
       }
     });
 
-    return _.uniq(titles).sort();
+    return _.uniq(titles)
+      .sort()
+      .map(Ember.Handlebars.Utils.escapeExpression);
   },
 
   @computed("user_option.text_size_seq", "user_option.text_size")