FIX: Ensure values are escaped in select-kit dropdowns (#16576)

The values in Discourse dropdown menus only come from admin-defined strings, not unsanitised end-user input, so this lack of escaping was not exploitable.
2022-04-28 08:52:29 +01:00 · 2022-04-28 08:52:29 +01:00 · 0f7b198ca0
parent 8ada093218
commit 0f7b198ca0
1 changed files with 1 additions and 1 deletions
--- a/app/assets/javascripts/select-kit/addon/templates/components/selected-choice.hbs
+++ b/app/assets/javascripts/select-kit/addon/templates/components/selected-choice.hbs
@ -4,7 +4,7 @@
    {{yield}}
  {{else}}
    <span class="d-button-label">
-      {{html-safe itemName}}
+      {{itemName}}
    </span>
  {{/if}}
 </button>