mirror of
https://github.com/mastodon/mastodon
synced 2024-12-18 08:38:20 +09:00
Fix #457 - escape JSON in INITIAL_STATE (this bug only ever allowed a user to xss themselves rather than anyone else)
This commit is contained in:
parent
7951e7ffd5
commit
4a2ee43e80
@ -1,6 +1,6 @@
|
||||
- content_for :header_tags do
|
||||
:javascript
|
||||
window.INITIAL_STATE = #{render(file: 'home/initial_state', formats: :json)}
|
||||
window.INITIAL_STATE = #{json_escape(render(file: 'home/initial_state', formats: :json))}
|
||||
|
||||
= javascript_include_tag 'application'
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user