From 7ef2da0c832175cea1776a651a3c14051468fdc2 Mon Sep 17 00:00:00 2001 From: The Bastard Operator Date: Sun, 16 Aug 2015 03:28:21 +0200 Subject: [PATCH 1/2] Fix XSS vulnerability --- client/views/toggle.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/views/toggle.tpl b/client/views/toggle.tpl index 08de2b5d..629d8215 100644 --- a/client/views/toggle.tpl +++ b/client/views/toggle.tpl @@ -9,7 +9,7 @@ {{#if thumb}} {{/if}} -
{{{head}}}
+
{{{parse head}}}
{{body}}
From 5656244e602abe91fdff1b90735adef1d218089c Mon Sep 17 00:00:00 2001 From: The Bastard Operator Date: Fri, 18 Sep 2015 11:10:25 +0200 Subject: [PATCH 2/2] Included changes to shout.templates.js after grunt --- client/js/shout.templates.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/js/shout.templates.js b/client/js/shout.templates.js index b422bfc7..d25e4d65 100644 --- a/client/js/shout.templates.js +++ b/client/js/shout.templates.js @@ -160,7 +160,7 @@ templates['toggle'] = template({"1":function(depth0,helpers,partials,data) { stack1 = helpers['if'].call(depth0, (depth0 != null ? depth0.thumb : depth0), {"name":"if","hash":{},"fn":this.program(5, data),"inverse":this.noop,"data":data}); if (stack1 != null) { buffer += stack1; } buffer += "
"; - stack1 = ((helper = (helper = helpers.head || (depth0 != null ? depth0.head : depth0)) != null ? helper : helperMissing),(typeof helper === functionType ? helper.call(depth0, {"name":"head","hash":{},"data":data}) : helper)); + stack1 = ((helpers.parse || (depth0 && depth0.parse) || helperMissing).call(depth0, (depth0 != null ? depth0.head : depth0), {"name":"parse","hash":{},"data":data})); if (stack1 != null) { buffer += stack1; } return buffer + "
\n
\n " + escapeExpression(((helper = (helper = helpers.body || (depth0 != null ? depth0.body : depth0)) != null ? helper : helperMissing),(typeof helper === functionType ? helper.call(depth0, {"name":"body","hash":{},"data":data}) : helper)))