From 904e532439c50e2a2c469ababea2c96e2e80e455 Mon Sep 17 00:00:00 2001
From: Sam Saffron <sam.saffron@gmail.com>
Date: Mon, 1 Feb 2016 20:53:26 +1100
Subject: [PATCH] SECURITY: topic titles can show up in user page unescaped
 when streamed in

---
 app/assets/javascripts/discourse/models/user.js.es6 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/assets/javascripts/discourse/models/user.js.es6 b/app/assets/javascripts/discourse/models/user.js.es6
index eff6ef3d7..d4e63bcb9 100644
--- a/app/assets/javascripts/discourse/models/user.js.es6
+++ b/app/assets/javascripts/discourse/models/user.js.es6
@@ -188,6 +188,7 @@ const User = RestModel.extend({
         if ((this.get('stream.filter') || ua.action_type) !== ua.action_type) return;
         if (!this.get('stream.filter') && !this.inAllStream(ua)) return;
 
+        ua.title = Discourse.Emoji.unescape(Handlebars.Utils.escapeExpression(ua.title));
         const action = UserAction.collapseStream([UserAction.create(ua)]);
         stream.set('itemsLoaded', stream.get('itemsLoaded') + 1);
         stream.get('content').insertAt(0, action[0]);