Commit d3487c8b authored by Maxwell Salzberg's avatar Maxwell Salzberg
Browse files

fix sa mall possible xss in personImage handlebar helpers if the attacker had...

fix sa mall possible xss in personImage handlebar helpers if the attacker had access to your root domain. fixes #3392
parent ab28c536
......@@ -22,5 +22,5 @@ Handlebars.registerHelper('personImage', function(person, size, imageClass) {
size = (typeof(size) != "string" ? "small" : size);
imageClass = (typeof(imageClass) != "string" ? size : imageClass);
return "<img src=\"" + person.avatar[size] +"\" class=\"avatar " + imageClass + "\" title=\"" + person.name +"\" />";
return "<img src=\"" + person.avatar[size] +"\" class=\"avatar " + imageClass + "\" title=\"" + _.escape(person.name) +"\" />";
})
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment