XSS: Escape the custom title (admin only) when displaying group titles.
This commit is contained in:
parent
162b5abae6
commit
554e5c8482
app/assets/javascripts/discourse/components
|
@ -37,6 +37,7 @@ var PosterNameComponent = Em.Component.extend({
|
|||
var title = post.get('user_title');
|
||||
if (!Em.isEmpty(title)) {
|
||||
|
||||
title = Handlebars.Utils.escapeExpression(title);
|
||||
buffer.push('<span class="user-title">');
|
||||
if (Em.isEmpty(primaryGroupName)) {
|
||||
buffer.push(title);
|
||||
|
|
Loading…
Reference in New Issue