SECURITY: XSS with title selector on preferences page

Note this is very low severity as the group needs to be created with a
default title that contains HTML, and group creation is restricted to
staff members right now.
This commit is contained in:
Robin Ward 2019-07-09 15:45:03 -04:00
parent 6e22499e5f
commit 629bb8adf2
1 changed files with 3 additions and 1 deletions

View File

@ -748,7 +748,9 @@ const User = RestModel.extend({
}
});
return _.uniq(titles).sort();
return _.uniq(titles)
.sort()
.map(Ember.Handlebars.Utils.escapeExpression);
},
@computed("user_option.text_size_seq", "user_option.text_size")