You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Escape message crypt status as we insert it into the DOM
The ->{'Value'} part of each message is inserted into the DOM with no
escaping (to accommodate MakeClicky and callbacks using HTML). Values RT
receives from other systems must be escaped or they leave us vulnerable to
an XSS injection attack.
This also happens to fix a bug where email addresses of senders would in
some cases not be shown in the browser.
0 commit comments