From dc9841cb699e40deb6af05147305933f7f51e099 Mon Sep 17 00:00:00 2001
From: Alasdair Smith <ali@alasdairsmith.co.uk>
Date: Thu, 4 Mar 2021 14:22:34 +0000
Subject: [PATCH] Merge pull request #3723 from overleaf/as-fix-team-invite-xss

Prevent stored XSS on team invite page

GitOrigin-RevId: 0f79b96efcb86d121654a95da52da1c40550d3ae
---
 services/web/app/views/subscriptions/team/invite.pug | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/services/web/app/views/subscriptions/team/invite.pug b/services/web/app/views/subscriptions/team/invite.pug
index a6131655d5..b705db8003 100644
--- a/services/web/app/views/subscriptions/team/invite.pug
+++ b/services/web/app/views/subscriptions/team/invite.pug
@@ -18,7 +18,7 @@ block content
 				.col-md-8.col-md-offset-2.text-center(ng-cloak)
 					.card(ng-controller="TeamInviteController")
 						.page-header
-							h1.text-centered #{translate("invited_to_group", {inviterName: inviterName, appName: appName})}
+							h1.text-centered(ng-non-bindable) #{translate("invited_to_group", {inviterName: inviterName, appName: appName})}
 
 						div(ng-show="view =='hasIndividualRecurlySubscription'")
 							p #{translate("cancel_personal_subscription_first")}
@@ -36,6 +36,6 @@ block content
 								a.btn.btn.btn-primary(ng-click="joinTeam()", ng-disabled="inflight") #{translate("accept_invitation")} 
 
 						div(ng-show="view =='inviteAccepted'")
-							p #{translate("joined_team", {inviterName: inviterName})}
+							p(ng-non-bindable) #{translate("joined_team", {inviterName: inviterName})}
 							p
 								a.btn.btn.btn-primary(href="/project") #{translate("done")}