From e37ced96bfd43a0632660a5cd780efff3e920f87 Mon Sep 17 00:00:00 2001
From: Daniel Waterworth <me@danielwaterworth.com>
Date: Wed, 21 Sep 2022 12:21:58 -0500
Subject: [PATCH] DEV: Don't interpret user field names as HTML (#18317)

This isn't a security bug, because only admins can create user fields
and we have to trust admins, because they can change themes, which are
shown site-wide and can contain unrestricted JS.
---
 .../discourse/app/templates/components/user-fields/confirm.hbs  | 2 +-
 .../discourse/app/templates/components/user-fields/dropdown.hbs | 2 +-
 .../app/templates/components/user-fields/multiselect.hbs        | 2 +-
 .../discourse/app/templates/components/user-fields/text.hbs     | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/assets/javascripts/discourse/app/templates/components/user-fields/confirm.hbs b/app/assets/javascripts/discourse/app/templates/components/user-fields/confirm.hbs
index 9b204313b59..43cdb5ca8a0 100644
--- a/app/assets/javascripts/discourse/app/templates/components/user-fields/confirm.hbs
+++ b/app/assets/javascripts/discourse/app/templates/components/user-fields/confirm.hbs
@@ -1,6 +1,6 @@
 {{#if this.field.name}}
   <label class="control-label">
-    {{html-safe this.field.name}} {{#if this.field.required}}<span class="required">*</span>{{/if}}
+    {{this.field.name}} {{#if this.field.required}}<span class="required">*</span>{{/if}}
   </label>
 {{/if}}
 
diff --git a/app/assets/javascripts/discourse/app/templates/components/user-fields/dropdown.hbs b/app/assets/javascripts/discourse/app/templates/components/user-fields/dropdown.hbs
index 3ac7a135aa0..968d014f0c4 100644
--- a/app/assets/javascripts/discourse/app/templates/components/user-fields/dropdown.hbs
+++ b/app/assets/javascripts/discourse/app/templates/components/user-fields/dropdown.hbs
@@ -1,5 +1,5 @@
 <label class="control-label" for={{concat "user-" this.elementId}}>
-  {{html-safe this.field.name}}
+  {{this.field.name}}
   {{#if this.field.required}}
     <span class="required">*</span>
   {{/if}}
diff --git a/app/assets/javascripts/discourse/app/templates/components/user-fields/multiselect.hbs b/app/assets/javascripts/discourse/app/templates/components/user-fields/multiselect.hbs
index 3799fd33f7e..1223813ddd0 100644
--- a/app/assets/javascripts/discourse/app/templates/components/user-fields/multiselect.hbs
+++ b/app/assets/javascripts/discourse/app/templates/components/user-fields/multiselect.hbs
@@ -1,5 +1,5 @@
 <label class="control-label" for={{concat "user-" this.elementId}}>
-  {{html-safe this.field.name}}
+  {{this.field.name}}
   {{#if this.field.required}}
     <span class="required">*</span>
   {{/if}}
diff --git a/app/assets/javascripts/discourse/app/templates/components/user-fields/text.hbs b/app/assets/javascripts/discourse/app/templates/components/user-fields/text.hbs
index 647033cc9bd..e09dca98b3b 100644
--- a/app/assets/javascripts/discourse/app/templates/components/user-fields/text.hbs
+++ b/app/assets/javascripts/discourse/app/templates/components/user-fields/text.hbs
@@ -1,5 +1,5 @@
 <label class="control-label" for={{concat "user-" this.elementId}}>
-  {{html-safe this.field.name}}
+  {{this.field.name}}
   {{#if this.field.required}}<span class="required">*</span>{{/if}}
 </label>
 <div class="controls">