From c6e5e860709dcae379ca03c7c3124f94930d221c Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Tue, 1 Mar 2016 10:25:31 -0500
Subject: Bug 1252437 - XSS vulnerability through malicious bug aliases

---
 extensions/BMO/template/en/default/hook/bug/show-header-end.html.tmpl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'extensions/BMO')

diff --git a/extensions/BMO/template/en/default/hook/bug/show-header-end.html.tmpl b/extensions/BMO/template/en/default/hook/bug/show-header-end.html.tmpl
index c9338aaf2..c49d06b73 100644
--- a/extensions/BMO/template/en/default/hook/bug/show-header-end.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/bug/show-header-end.html.tmpl
@@ -14,7 +14,8 @@
 [% END %]
 [% title = "$bug.bug_id &ndash; " %]
 [% IF bug.alias != '' %]
-  [% title = title _ "($bug.alias) " %]
+  [% filtered_alias = bug.alias FILTER html %]
+  [% title = title _ "($filtered_alias) " %]
 [% END %]
 [% title = title _ filtered_desc %]
 [% javascript = javascript _ 
-- 
cgit v1.2.3-24-g4f1b