From 1d1dd43e275bcc10862a03d8bfa7aaac2deb42ac Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Fri, 25 Jul 2014 17:26:57 +1000
Subject: [PATCH] SECURITY: fix XSS using fancy mention hack

---
 .../javascripts/discourse/controllers/poster-expansion.js.es6   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/assets/javascripts/discourse/controllers/poster-expansion.js.es6 b/app/assets/javascripts/discourse/controllers/poster-expansion.js.es6
index c4b969defad..b526344b294 100644
--- a/app/assets/javascripts/discourse/controllers/poster-expansion.js.es6
+++ b/app/assets/javascripts/discourse/controllers/poster-expansion.js.es6
@@ -23,6 +23,8 @@ export default Discourse.ObjectController.extend({
   showMoreBadges: Em.computed.gt('moreBadgesCount', 0),
 
   show: function(username, uploadedAvatarId) {
+    // XSS protection (should be encapsulated)
+    username = username.replace(/[^A-Za-z0-9_]/g, "");
     var url = "/users/" + username;
 
     // Don't show on mobile