From dfc95d0f6f7fff057c6e6401cfec3e05042ba625 Mon Sep 17 00:00:00 2001
From: Harry Seo <harry@kakao.com>
Date: Wed, 18 Dec 2013 12:18:59 +0900
Subject: [PATCH] FIX: Title text should be correctly escaped since we are
 generating a raw html.

---
 app/assets/javascripts/discourse/helpers/application_helpers.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/assets/javascripts/discourse/helpers/application_helpers.js b/app/assets/javascripts/discourse/helpers/application_helpers.js
index df586a31d..5c56c0c39 100644
--- a/app/assets/javascripts/discourse/helpers/application_helpers.js
+++ b/app/assets/javascripts/discourse/helpers/application_helpers.js
@@ -289,7 +289,7 @@ Handlebars.registerHelper('number', function(property, options) {
   var result = "<span class='" + classNames + "'";
 
   if (n !== title) {
-    result += " title='" + title + "'";
+    result += " title='" + Handlebars.Utils.escapeExpression(title) + "'";
   }
   result += ">" + n + "</span>";