FIX: Ensure values are escaped in select-kit dropdowns (#16586)

The values in Discourse dropdown menus only come from admin-defined strings, not unsanitised end-user input, so this lack of escaping was not exploitable.
2025-02-21 08:14:01 +08:00 · 2022-04-28 16:31:41 +01:00 · 2022-04-28 16:31:41 +01:00 · d8b68e00c9
commit d8b68e00c9
parent bb57be95f0
1 changed files with 1 additions and 1 deletions
--- a/app/assets/javascripts/select-kit/addon/templates/components/selected-choice.hbs
+++ b/app/assets/javascripts/select-kit/addon/templates/components/selected-choice.hbs
@ -4,7 +4,7 @@
    {{yield}}
  {{else}}
    <span class="d-button-label">
-      {{html-safe itemName}}
+      {{itemName}}
    </span>
  {{/if}}
 </button>