From 02aa6ce0a7cd9ef14079a5ee22c175ff9d16ed58 Mon Sep 17 00:00:00 2001
From: David Lawrence <dkl@mozilla.com>
Date: Tue, 8 Mar 2016 14:26:33 +0000
Subject: Bug 1252445 - Tracking flags configuration is vulnerable to CSRF and
 causes persistent XSS

---
 extensions/BugModal/template/en/default/bug_modal/header.html.tmpl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'extensions/BugModal/template/en/default/bug_modal/header.html.tmpl')

diff --git a/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl b/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl
index f70e77bb1..84efbd077 100644
--- a/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl
+++ b/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl
@@ -77,7 +77,8 @@
   [%# add tracking flags json if available %]
   [% IF tracking_flags %]
     [% javascript_urls.push("extensions/TrackingFlags/web/js/tracking_flags.js") %]
-    TrackingFlags = [% tracking_flags_json FILTER none %];
+    var tracking_flags_str = "[% tracking_flags_json FILTER js %]";
+    var TrackingFlags = $.parseJSON(tracking_flags_str);
   [% END %]
 
   [%# update last-visited %]
-- 
cgit v1.2.3-24-g4f1b