From 3eb2791c3e9695f7d37ffe84e0c2184fae665cb6 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Fri, 7 Jan 2022 13:15:08 -0800 Subject: [PATCH] CVE-2021-3853: Fix HTML escaping in recipient_row. Commit 44f935695d452cc3fb16845a0c6af710438b153d (#20462) incorrectly added these extra braces while intending to add whitespace control. This triple-brace syntax was asking Handlebars to skip escaping the string. Signed-off-by: Anders Kaseorg --- static/templates/recipient_row.hbs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/static/templates/recipient_row.hbs b/static/templates/recipient_row.hbs index faf923f239..9cfc1df973 100644 --- a/static/templates/recipient_row.hbs +++ b/static/templates/recipient_row.hbs @@ -17,7 +17,7 @@ {{/if}} {{~! Recipient (e.g. stream/topic or topic) ~}} - {{~{display_recipient}~}} + {{~display_recipient~}} {{! hidden narrow icon for copy-pasting }}