mirror of
https://github.com/discourse/discourse.git
synced 2024-11-27 23:26:18 +08:00
5ee31cbf7d
* FIX: Mark invites flash messages as HTML safe. This change should be safe as all user inputs included in the errors are sanitized before sending it back to the client. Context: https://meta.discourse.org/t/html-tags-are-explicit-after-latest-update/214220 * If somebody adds a new error message that includes user input and doesn't sanitize it, using html-safe suddenly becomes unsafe again. As an extra layer of protection, we make the client sanitize the error message received from the backend. * Escape user input instead of sanitizing |
||
---|---|---|
.. | ||
images | ||
javascripts | ||
stylesheets |