CVE-2021-3853: Fix HTML escaping in recipient_row.

Commit 44f935695d (#20462) incorrectly
added these extra braces while intending to add whitespace control.
This triple-brace syntax was asking Handlebars to skip escaping the
string.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg 2022-01-07 13:15:08 -08:00 committed by Alex Vandiver
parent 3659d95092
commit 3eb2791c3e
1 changed files with 1 additions and 1 deletions

View File

@ -17,7 +17,7 @@
{{/if}} {{/if}}
{{~! Recipient (e.g. stream/topic or topic) ~}} {{~! Recipient (e.g. stream/topic or topic) ~}}
{{~{display_recipient}~}} {{~display_recipient~}}
</a> </a>
{{! hidden narrow icon for copy-pasting }} {{! hidden narrow icon for copy-pasting }}