-
Notifications
You must be signed in to change notification settings - Fork 252
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Escape message crypt status as we insert it into the DOM
The ->{'Value'} part of each message is inserted into the DOM with no
escaping (to accommodate MakeClicky and callbacks using HTML). Values RT
receives from other systems must be escaped or they leave us vulnerable to
an XSS injection attack.
This also happens to fix a bug where email addresses of senders would in
some cases not be shown in the browser.- Loading branch information
Showing
1 changed file
with
5 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters