From 7113b1a45bd29318c3ec5ea5f61b1d523868ef4d Mon Sep 17 00:00:00 2001
From: DJ Mountney <david@twkie.net>
Date: Thu, 8 Jun 2017 09:48:10 -0700
Subject: Merge branch 'cherry-pick-dc2ac993' into 'security-9-2'

Escapes html content before appending it to the DOM

See merge request !2107
---
 app/assets/javascripts/notes.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'app/assets/javascripts/notes.js')

diff --git a/app/assets/javascripts/notes.js b/app/assets/javascripts/notes.js
index 929965de5c1..b0143b12cfe 100644
--- a/app/assets/javascripts/notes.js
+++ b/app/assets/javascripts/notes.js
@@ -1478,7 +1478,7 @@ const normalizeNewlines = function(str) {
       const cachedNoteBodyText = $noteBodyText.html();
 
       // Show updated comment content temporarily
-      $noteBodyText.html(formContent);
+      $noteBodyText.html(_.escape(formContent));
       $editingNote.removeClass('is-editing fade-in-full').addClass('being-posted fade-in-half');
       $editingNote.find('.note-headline-meta a').html('<i class="fa fa-spinner fa-spin" aria-label="Comment is being updated" aria-hidden="true"></i>');
 
@@ -1491,7 +1491,7 @@ const normalizeNewlines = function(str) {
         })
         .fail(() => {
           // Submission failed, revert back to original note
-          $noteBodyText.html(cachedNoteBodyText);
+          $noteBodyText.html(_.escape(cachedNoteBodyText));
           $editingNote.removeClass('being-posted fade-in');
           $editingNote.find('.fa.fa-spinner').remove();
 
-- 
cgit v1.2.1