Merge pull request #3767 from overleaf/jpa-xss-9

[views] mitigate Angular XSS in email confirmation post gateway GitOrigin-RevId: 11cd752d520054e448b3eeea431fe27f3c02fa00
2024-11-07 20:31:06 -05:00 · 2021-03-17 12:46:41 +01:00 · 2021-03-17 12:46:41 +01:00 · 8766c23abb
commit 8766c23abb
parent 115fe20184
1 changed files with 2 additions and 2 deletions
--- a/services/web/app/views/user/confirm_email.pug
+++ b/services/web/app/views/user/confirm_email.pug
@ -18,11 +18,11 @@ block content
 							ng-cloak
 						)
 							input(type="hidden", name="_csrf", value=csrfToken)
-							input(type="hidden", name="token", value=token)
+							input(type="hidden", name="token", value=token ng-non-bindable)
 							form-messages(for="confirmEmailForm")
 								.alert.alert-success(ng-show="confirmEmailForm.response.success")
 									| Thank you, your email is now confirmed
 							p.text-center(ng-show="!confirmEmailForm.response.success && !confirmEmailForm.response.error")
 								i.fa.fa-fw.fa-spin.fa-spinner(aria-hidden="true")
-								| 
+								|
 								| Confirming your email…