Fix #457 - escape JSON in INITIAL_STATE (this bug only ever allowed a user to xss themselves rather than anyone else)

8 years ago · 4a2ee43e80
parent 7951e7ffd5
commit 4a2ee43e80
1 changed files with 1 additions and 1 deletions
--- a/app/views/home/index.html.haml
+++ b/app/views/home/index.html.haml
@ -1,6 +1,6 @@
 - content_for :header_tags do
  :javascript
-    window.INITIAL_STATE = #{render(file: 'home/initial_state', formats: :json)}
+    window.INITIAL_STATE = #{json_escape(render(file: 'home/initial_state', formats: :json))}

  = javascript_include_tag 'application'