From e5329d57771a0cbd573f0e45c55e39c150dd5c9e Mon Sep 17 00:00:00 2001
From: Fabien O'Carroll <fabien@allou.is>
Date: Wed, 7 Nov 2018 21:52:26 +0700
Subject: [PATCH] Fixed sanitization of user invited emails for notification
 message (#1060) (#1067)

no issue

- Escaped email ids string sent to notification message during blog setup

Credits: Antony Garand
---
 app/controllers/setup/three.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/controllers/setup/three.js b/app/controllers/setup/three.js
index 21d085269e..fad89c6d18 100644
--- a/app/controllers/setup/three.js
+++ b/app/controllers/setup/three.js
@@ -1,4 +1,5 @@
 import Controller from 'ember-controller';
+import Ember from 'ember';
 import RSVP from 'rsvp';
 import computed, {alias} from 'ember-computed';
 import {A as emberA} from 'ember-array/utils';
@@ -200,7 +201,7 @@ export default Controller.extend({
                         if (erroredEmails.length > 0) {
                             invitationsString = erroredEmails.length > 1 ? ' invitations: ' : ' invitation: ';
                             message = `Failed to send ${erroredEmails.length} ${invitationsString}`;
-                            message += erroredEmails.join(', ');
+                            message += Ember.Handlebars.Utils.escapeExpression(erroredEmails.join(', '));
                             message += ". Please check your email configuration, see <a href=\'https://docs.ghost.org/v0.11.9/docs/mail-config\' target=\'_blank\'>https://docs.ghost.org/v0.11.9/docs/mail-config</a> for instructions";
 
                             message = htmlSafe(message);