XSS fix for category descriptions

app/assets/javascripts/discourse/components/utilities.js

@@ -39,19 +39,18 @@ Discourse.Utilities = {
 
   // Create a badge like category link
   categoryLink: function(category) {
-    var color, textColor, name, description, result;
     if (!category) return "";
 
-    color = Em.get(category, 'color');
+    var color = Em.get(category, 'color');
-    textColor = Em.get(category, 'text_color');
+    var textColor = Em.get(category, 'text_color');
-    name = Em.get(category, 'name');
+    var name = Em.get(category, 'name');
-    description = Em.get(category, 'description');
+    var description = Em.get(category, 'description');
 
     // Build the HTML link
-    result = "<a href=\"" + Discourse.getURL("/category/") + this.categoryUrlId(category) + "\" class=\"badge-category\" ";
+    var result = "<a href=\"" + Discourse.getURL("/category/") + this.categoryUrlId(category) + "\" class=\"badge-category\" ";
 
     // Add description if we have it
-    if (description) result += "title=\"" + description + "\" ";
+    if (description) result += "title=\"" + Handlebars.Utils.escapeExpression(description) + "\" ";
 
     return result + "style=\"background-color: #" + color + "; color: #" + textColor + ";\">" + name + "</a>";
   },