Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE-2021-3853: Fix HTML escaping in recipient_row.
Commit 44f9356 (#20462) incorrectly added these extra braces while intending to add whitespace control. This triple-brace syntax was asking Handlebars to skip escaping the string. Signed-off-by: Anders Kaseorg <anders@zulip.com>
- Loading branch information
3eb2791
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CVE-2021-3866 is the correct CVE for this commit; the CVE identifier we were originally given by a third-party was also assigned to an unrelated vulnerability in a different project.