Fix #457 - escape JSON in INITIAL_STATE (this bug only ever allowed a user to xss themselves rather than anyone else)

This commit is contained in:
Eugen Rochko 2017-01-12 03:54:50 +01:00
parent 7951e7ffd5
commit 4a2ee43e80

View file

@ -1,6 +1,6 @@
- content_for :header_tags do
:javascript
window.INITIAL_STATE = #{render(file: 'home/initial_state', formats: :json)}
window.INITIAL_STATE = #{json_escape(render(file: 'home/initial_state', formats: :json))}
= javascript_include_tag 'application'