mirror of
https://github.com/discourse/discourse.git
synced 2024-12-14 13:03:45 +08:00
SECURITY: XSS with title selector on preferences page
Note this is very low severity as the group needs to be created with a default title that contains HTML, and group creation is restricted to staff members right now.
This commit is contained in:
parent
4fd470e63d
commit
d1c12539dd
|
@ -718,7 +718,9 @@ const User = RestModel.extend({
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
return _.uniq(titles).sort();
|
return _.uniq(titles)
|
||||||
|
.sort()
|
||||||
|
.map(Ember.Handlebars.Utils.escapeExpression);
|
||||||
},
|
},
|
||||||
|
|
||||||
@computed("user_option.text_size_seq", "user_option.text_size")
|
@computed("user_option.text_size_seq", "user_option.text_size")
|
||||||
|
|
Loading…
Reference in New Issue
Block a user