Fix #457 - escape JSON in INITIAL_STATE (this bug only ever allowed a user to xss themselves rather than anyone else) - mastofe - My custom branche(s) on git.pleroma.social/pleroma/mastofe

commit: 4a2ee43e807b0d3fd55ed26f9d03c8e39ea6e486
parent: 7951e7ffd5cf5932f7206b52cd85f602abd9b25d
Author: Eugen Rochko <eugen@zeonfederated.com>
Date:   Thu, 12 Jan 2017 03:54:50 +0100

Fix #457 - escape JSON in INITIAL_STATE (this bug only ever allowed a user to xss themselves rather than anyone else)

Diffstat:
M app/views/home/index.html.haml 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/app/views/home/index.html.haml b/app/views/home/index.html.haml
@@ -1,6 +1,6 @@
 - content_for :header_tags do
   :javascript
-    window.INITIAL_STATE = #{render(file: 'home/initial_state', formats: :json)}
+    window.INITIAL_STATE = #{json_escape(render(file: 'home/initial_state', formats: :json))}
 
   = javascript_include_tag 'application'