From 82bdef20471dc562174cb68b3a41e6b92ac6dce8 Mon Sep 17 00:00:00 2001
From: Neil Lalonde <neillalonde@gmail.com>
Date: Tue, 15 Jul 2014 17:19:28 -0400
Subject: [PATCH] FIX: escape input of forgot password form before rendering it
 back to you

---
 .../javascripts/discourse/controllers/forgot-password.js.es6 | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/assets/javascripts/discourse/controllers/forgot-password.js.es6 b/app/assets/javascripts/discourse/controllers/forgot-password.js.es6
index 5e3da4c84..e44c5b644 100644
--- a/app/assets/javascripts/discourse/controllers/forgot-password.js.es6
+++ b/app/assets/javascripts/discourse/controllers/forgot-password.js.es6
@@ -24,10 +24,11 @@ export default Discourse.Controller.extend(Discourse.ModalFunctionality, {
       });
 
       // don't tell people what happened, this keeps it more secure (ensure same on server)
+      var escaped = Handlebars.Utils.escapeExpression(this.get('accountEmailOrUsername'));
       if (this.get('accountEmailOrUsername').match(/@/)) {
-        this.flash(I18n.t('forgot_password.complete_email', {email: this.get('accountEmailOrUsername')}));
+        this.flash(I18n.t('forgot_password.complete_email', {email: escaped}));
       } else {
-        this.flash(I18n.t('forgot_password.complete_username', {username: this.get('accountEmailOrUsername')}));
+        this.flash(I18n.t('forgot_password.complete_username', {username: escaped}));
       }
       return false;
     }