]> cat aescling's git repositories - mastodon.git/commitdiff
cat aescling's git repositories / mastodon.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7951e7f)
Fix #457 - escape JSON in INITIAL_STATE (this bug only ever allowed a user to xss...
authorEugen Rochko <eugen@zeonfederated.com>
Thu, 12 Jan 2017 02:54:50 +0000 (03:54 +0100)
committerEugen Rochko <eugen@zeonfederated.com>
Thu, 12 Jan 2017 02:54:50 +0000 (03:54 +0100)
app/views/home/index.html.haml patch | blob | history

diff --git a/app/views/home/index.html.haml b/app/views/home/index.html.haml
index 7302491292ca66564a198fd4ea9f63c348f81907..0147f4064b943e299337e7216ba2457973212541 100644 (file)
--- a/app/views/home/index.html.haml
+++ b/app/views/home/index.html.haml
@@ -1,6 +1,6 @@
 - content_for :header_tags do
   :javascript
-    window.INITIAL_STATE = #{render(file: 'home/initial_state', formats: :json)}
+    window.INITIAL_STATE = #{json_escape(render(file: 'home/initial_state', formats: :json))}
 
   = javascript_include_tag 'application'
 
source code fur Kibicat Mastodon