From 4a2ee43e807b0d3fd55ed26f9d03c8e39ea6e486 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 12 Jan 2017 03:54:50 +0100
Subject: [PATCH] Fix #457 - escape JSON in INITIAL_STATE (this bug only ever
 allowed a user to xss themselves rather than anyone else)

---
 app/views/home/index.html.haml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/home/index.html.haml b/app/views/home/index.html.haml
index 7302491292..0147f4064b 100644
--- a/app/views/home/index.html.haml
+++ b/app/views/home/index.html.haml
@@ -1,6 +1,6 @@
 - content_for :header_tags do
   :javascript
-    window.INITIAL_STATE = #{render(file: 'home/initial_state', formats: :json)}
+    window.INITIAL_STATE = #{json_escape(render(file: 'home/initial_state', formats: :json))}
 
   = javascript_include_tag 'application'
 
-- 
GitLab