From 8766c23abbbee24400a44f2577463fde43e3689f Mon Sep 17 00:00:00 2001
From: Jakob Ackermann <jakob.ackermann@overleaf.com>
Date: Wed, 17 Mar 2021 12:46:41 +0100
Subject: [PATCH] Merge pull request #3767 from overleaf/jpa-xss-9

[views] mitigate Angular XSS in email confirmation post gateway

GitOrigin-RevId: 11cd752d520054e448b3eeea431fe27f3c02fa00
---
 services/web/app/views/user/confirm_email.pug | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/services/web/app/views/user/confirm_email.pug b/services/web/app/views/user/confirm_email.pug
index 44a62a905c..a42f29e741 100644
--- a/services/web/app/views/user/confirm_email.pug
+++ b/services/web/app/views/user/confirm_email.pug
@@ -18,11 +18,11 @@ block content
 							ng-cloak
 						)
 							input(type="hidden", name="_csrf", value=csrfToken)
-							input(type="hidden", name="token", value=token)
+							input(type="hidden", name="token", value=token ng-non-bindable)
 							form-messages(for="confirmEmailForm")
 								.alert.alert-success(ng-show="confirmEmailForm.response.success")
 									| Thank you, your email is now confirmed
 							p.text-center(ng-show="!confirmEmailForm.response.success && !confirmEmailForm.response.error")
 								i.fa.fa-fw.fa-spin.fa-spinner(aria-hidden="true")
-								| 
+								|
 								| Confirming your email…