From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 12 Jan 2017 02:54:50 +0000 (+0100)
Subject: Fix #457 - escape JSON in INITIAL_STATE (this bug only ever allowed a user to xss... 
X-Git-Url: https://git.xn--scling-oua.cat.family/?a=commitdiff_plain;h=4a2ee43e807b0d3fd55ed26f9d03c8e39ea6e486;p=mastodon.git

Fix #457 - escape JSON in INITIAL_STATE (this bug only ever allowed a user to xss themselves rather than anyone else)
---

diff --git a/app/views/home/index.html.haml b/app/views/home/index.html.haml
index 730249129..0147f4064 100644
--- a/app/views/home/index.html.haml
+++ b/app/views/home/index.html.haml
@@ -1,6 +1,6 @@
 - content_for :header_tags do
   :javascript
-    window.INITIAL_STATE = #{render(file: 'home/initial_state', formats: :json)}
+    window.INITIAL_STATE = #{json_escape(render(file: 'home/initial_state', formats: :json))}
 
   = javascript_include_tag 'application'