mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 09:12:45 +08:00
5ee31cbf7d
* FIX: Mark invites flash messages as HTML safe. This change should be safe as all user inputs included in the errors are sanitized before sending it back to the client. Context: https://meta.discourse.org/t/html-tags-are-explicit-after-latest-update/214220 * If somebody adds a new error message that includes user input and doesn't sanitize it, using html-safe suddenly becomes unsafe again. As an extra layer of protection, we make the client sanitize the error message received from the backend. * Escape user input instead of sanitizing |
||
---|---|---|
.. | ||
assets | ||
controllers | ||
helpers | ||
jobs | ||
mailers | ||
models | ||
serializers | ||
services | ||
views |