diff options
| author | Eugen Rochko <eugen@zeonfederated.com> | 2017-01-12 03:54:50 +0100 |
|---|---|---|
| committer | Eugen Rochko <eugen@zeonfederated.com> | 2017-01-12 03:54:50 +0100 |
| commit | 4a2ee43e807b0d3fd55ed26f9d03c8e39ea6e486 (patch) | |
| tree | 6c3be07c85496da4f732c2c07ef577d80a53bd00 /app/views/home/index.html.haml | |
| parent | 7951e7ffd5cf5932f7206b52cd85f602abd9b25d (diff) | |
Fix #457 - escape JSON in INITIAL_STATE (this bug only ever allowed a user to xss themselves rather than anyone else)
Diffstat (limited to 'app/views/home/index.html.haml')
| -rw-r--r-- | app/views/home/index.html.haml | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/views/home/index.html.haml b/app/views/home/index.html.haml index 730249129..0147f4064 100644 --- a/app/views/home/index.html.haml +++ b/app/views/home/index.html.haml @@ -1,6 +1,6 @@ - content_for :header_tags do :javascript - window.INITIAL_STATE = #{render(file: 'home/initial_state', formats: :json)} + window.INITIAL_STATE = #{json_escape(render(file: 'home/initial_state', formats: :json))} = javascript_include_tag 'application' |