From 8abf652dc38b4fe93974597be5500401cd812444 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Wed, 23 Apr 2014 09:46:32 +1000
Subject: [PATCH] SECURITY: self XSS by admin by editing badge name

---
 app/assets/javascripts/discourse/lib/html.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/assets/javascripts/discourse/lib/html.js b/app/assets/javascripts/discourse/lib/html.js
index d98addbc4..d3fbff5ea 100644
--- a/app/assets/javascripts/discourse/lib/html.js
+++ b/app/assets/javascripts/discourse/lib/html.js
@@ -93,7 +93,7 @@ Discourse.HTML = {
 
     html += "data-drop-close=\"true\" class=\"badge-category" + (restricted ? ' restricted' : '' ) +
             extraClasses + "\" ";
-
+    name = Handlebars.Utils.escapeExpression(name);
     // Add description if we have it
     if (description) html += "title=\"" + Handlebars.Utils.escapeExpression(description) + "\" ";