XSS: Escape the custom title (admin only) when displaying group titles.

This commit is contained in:
Robin Ward 2014-07-02 19:55:27 -04:00
parent 162b5abae6
commit 554e5c8482
1 changed files with 1 additions and 0 deletions
app/assets/javascripts/discourse/components

View File

@ -37,6 +37,7 @@ var PosterNameComponent = Em.Component.extend({
var title = post.get('user_title');
if (!Em.isEmpty(title)) {
title = Handlebars.Utils.escapeExpression(title);
buffer.push('<span class="user-title">');
if (Em.isEmpty(primaryGroupName)) {
buffer.push(title);