SECURITY: Escape email text for posts containing [details].

SECURITY: Escape email text for posts containing [details].

diff --git a/plugins/discourse-details/plugin.rb b/plugins/discourse-details/plugin.rb
index 68daecb..63c11d8 100644
--- a/plugins/discourse-details/plugin.rb
+++ b/plugins/discourse-details/plugin.rb
@@ -37,7 +37,7 @@ after_initialize do
       link = fragment.document.create_element("a")
       link["href"] = post.url if post
       link.content = I18n.t("details.excerpt_details")
-      el.replace text + " " + link.to_html
+      el.replace CGI.escapeHTML(text) + " " + link.to_html
     end
   end

GitHub sha: bccd090c

1 Like

DEV: Add test.