From eb9bec97e642a973e95383c0c49d96bd43490f23 Mon Sep 17 00:00:00 2001
From: Chris Hallberg <crhallberg@gmail.com>
Date: Tue, 23 Feb 2016 11:44:55 -0500
Subject: [PATCH] Escape list titles to prevent JS injection.

---
 themes/bootstrap3/js/check_save_statuses.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/themes/bootstrap3/js/check_save_statuses.js b/themes/bootstrap3/js/check_save_statuses.js
index 1cf43788fd6..d1c9e6966c7 100644
--- a/themes/bootstrap3/js/check_save_statuses.js
+++ b/themes/bootstrap3/js/check_save_statuses.js
@@ -32,7 +32,7 @@ function checkSaveStatuses() {
         var html = list.find('strong')[0].outerHTML+'<ul>';
         for (var i=0; i<response.data[sel].length; i++) {
           html += '<li><a href="' + response.data[sel][i].list_url + '">'
-                   + response.data[sel][i].list_title + '</a></li>';
+                   + htmlEncode(response.data[sel][i].list_title) + '</a></li>';
         }
         html += '</ul>';
         list.html(html).removeClass('hidden');
-- 
GitLab