From 410b9fcce9aacf3cc4c141ae8ccbbd6708d9eea6 Mon Sep 17 00:00:00 2001 From: James Phillips Date: Wed, 20 Dec 2017 19:49:06 -0800 Subject: [PATCH] Manually patches handlebars JS to escape = to prevent XSS. --- ui/javascripts/libs/handlebars-1.3.0.min.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui/javascripts/libs/handlebars-1.3.0.min.js b/ui/javascripts/libs/handlebars-1.3.0.min.js index cf13f76af7..21735ffcea 100644 --- a/ui/javascripts/libs/handlebars-1.3.0.min.js +++ b/ui/javascripts/libs/handlebars-1.3.0.min.js @@ -1,4 +1,4 @@ -var Handlebars=function(){var y=function(){function l(h){this.string=h}l.prototype.toString=function(){return""+this.string};return l}(),v=function(l){function h(a){return b[a]||"&"}var g={},b={"&":"&","<":"<",">":">",'"':""","'":"'","`":"`"},a=/[&<>"'`]/g,c=/[&<>"'`]/;g.extend=function(a,b){for(var k in b)Object.prototype.hasOwnProperty.call(b,k)&&(a[k]=b[k])};var d=Object.prototype.toString;g.toString=d;var e=function(a){return"function"===typeof a};e(/x/)&&(e=function(a){return"function"=== +var Handlebars=function(){var y=function(){function l(h){this.string=h}l.prototype.toString=function(){return""+this.string};return l}(),v=function(l){function h(a){return b[a]||"&"}var g={},b={"&":"&","<":"<",">":">",'"':""","'":"'","`":"`",'=':'='},a=/[&<>"'`=]/g,c=/[&<>"'`=]/;g.extend=function(a,b){for(var k in b)Object.prototype.hasOwnProperty.call(b,k)&&(a[k]=b[k])};var d=Object.prototype.toString;g.toString=d;var e=function(a){return"function"===typeof a};e(/x/)&&(e=function(a){return"function"=== typeof a&&"[object Function]"===d.call(a)});g.isFunction=e;var x=Array.isArray||function(a){return a&&"object"===typeof a?"[object Array]"===d.call(a):!1};g.isArray=x;g.escapeExpression=function(b){if(b instanceof l)return b.toString();if(!b&&0!==b)return"";b=""+b;return!c.test(b)?b:b.replace(a,h)};g.isEmpty=function(a){return!a&&0!==a?!0:x(a)&&0===a.length?!0:!1};return g}(y),p=function(){function l(g,b){var a;b&&b.firstLine&&(a=b.firstLine,g+=" - "+a+":"+b.firstColumn);for(var c=Error.prototype.constructor.call(this, g),d=0;d