Fixes #17195 - CVE-2016-8634 escape html in alert text
The alert helper used to mark the alert text as html_safe by default. However, in some cases it may be possible for a user to enter custom text into the alert message leading to a possible XSS vulnerability. This patch changes this so that text is escaped unless expilicitly marked as html_safe in the code.
Related issues
Bug #17195: CVE-2016-8634 - Organization/location wizard may run stored XSS through alert
Added by Tomer Brisker over 7 years ago
Fixes #17195 - CVE-2016-8634 escape html in alert text
The alert helper used to mark the alert text as html_safe by default.
However, in some cases it may be possible for a user to enter custom
text into the alert message leading to a possible XSS vulnerability.
This patch changes this so that text is escaped unless expilicitly
marked as html_safe in the code.