From e23b8e79054291dab592e8c14cf980bd4abb3e04 Mon Sep 17 00:00:00 2001
From: Neil Lalonde <neillalonde@gmail.com>
Date: Fri, 2 Mar 2018 11:58:03 -0500
Subject: [PATCH] SECURITY: sanitize topic title when staff is viewing a user's
 past flagged posts and deleted topics

---
 .../discourse/routes/build-admin-user-posts-route.js.es6  | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/app/assets/javascripts/discourse/routes/build-admin-user-posts-route.js.es6 b/app/assets/javascripts/discourse/routes/build-admin-user-posts-route.js.es6
index 1615cdaca8d..4fbc3c13666 100644
--- a/app/assets/javascripts/discourse/routes/build-admin-user-posts-route.js.es6
+++ b/app/assets/javascripts/discourse/routes/build-admin-user-posts-route.js.es6
@@ -1,3 +1,5 @@
+import { emojiUnescape } from 'discourse/lib/text';
+
 export default function (filter) {
   return Discourse.Route.extend({
     actions: {
@@ -20,6 +22,12 @@ export default function (filter) {
       // initialize "canLoadMore"
       model.set("canLoadMore", model.get("itemsLoaded") === 60);
 
+      model.get('content').forEach((item) => {
+        if (item.get('title')) {
+          item.set('title', emojiUnescape(Handlebars.Utils.escapeExpression(item.title)));
+        }
+      });
+
       this.controllerFor("user-posts").set("model", model);
     },