From 3eb2791c3e9695f7d37ffe84e0c2184fae665cb6 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Fri, 7 Jan 2022 13:15:08 -0800
Subject: [PATCH] CVE-2021-3853: Fix HTML escaping in recipient_row.

Commit 44f935695d452cc3fb16845a0c6af710438b153d (#20462) incorrectly
added these extra braces while intending to add whitespace control.
This triple-brace syntax was asking Handlebars to skip escaping the
string.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
---
 static/templates/recipient_row.hbs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/static/templates/recipient_row.hbs b/static/templates/recipient_row.hbs
index faf923f2396e2..9cfc1df973ada 100644
--- a/static/templates/recipient_row.hbs
+++ b/static/templates/recipient_row.hbs
@@ -17,7 +17,7 @@
                 {{/if}}
 
                 {{~! Recipient (e.g. stream/topic or topic) ~}}
-                {{~{display_recipient}~}}
+                {{~display_recipient~}}
             </a>
 
             {{! hidden narrow icon for copy-pasting }}