Anders Kaseorg a9d59b3dcd CVE-2020-24582: Escape all strings interpolated into HTML. ...

Also fix various variable names to consistently indicate which strings
contain HTML.

Some of these changes close cross-site scripting vulnerabilities, and
others are for consistency.  It’s important to be meticulously
consistent about escaping so that changes that would introduce
vulnerabilities stand out as obviously wrong.

Signed-off-by: Anders Kaseorg <anders@zulip.com>

2020-09-04 22:52:38 -07:00

1.2 KiB

Raw Blame History

View Raw