about summary refs log tree commit diff
path: root/app
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2017-01-12 03:54:50 +0100
committerEugen Rochko <eugen@zeonfederated.com>2017-01-12 03:54:50 +0100
commit4a2ee43e807b0d3fd55ed26f9d03c8e39ea6e486 (patch)
tree6c3be07c85496da4f732c2c07ef577d80a53bd00 /app
parent7951e7ffd5cf5932f7206b52cd85f602abd9b25d (diff)
Fix #457 - escape JSON in INITIAL_STATE (this bug only ever allowed a user to xss themselves rather than anyone else)
Diffstat (limited to 'app')
-rw-r--r--app/views/home/index.html.haml2
1 files changed, 1 insertions, 1 deletions
diff --git a/app/views/home/index.html.haml b/app/views/home/index.html.haml
index 730249129..0147f4064 100644
--- a/app/views/home/index.html.haml
+++ b/app/views/home/index.html.haml
@@ -1,6 +1,6 @@
 - content_for :header_tags do
   :javascript
-    window.INITIAL_STATE = #{render(file: 'home/initial_state', formats: :json)}
+    window.INITIAL_STATE = #{json_escape(render(file: 'home/initial_state', formats: :json))}
 
   = javascript_include_tag 'application'