From bba4786df271b68d753e7f2dc202a9fe2da53c22 Mon Sep 17 00:00:00 2001
From: Bianca Nenciu <nenciu.bianca@gmail.com>
Date: Wed, 26 Jun 2019 16:27:56 +0300
Subject: [PATCH] SECURITY: Escape email text for posts containing [details].

---
 plugins/discourse-details/plugin.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/discourse-details/plugin.rb b/plugins/discourse-details/plugin.rb
index 68daecbd2c..63c11d8647 100644
--- a/plugins/discourse-details/plugin.rb
+++ b/plugins/discourse-details/plugin.rb
@@ -37,7 +37,7 @@ after_initialize do
       link = fragment.document.create_element("a")
       link["href"] = post.url if post
       link.content = I18n.t("details.excerpt_details")
-      el.replace text + " " + link.to_html
+      el.replace CGI.escapeHTML(text) + " " + link.to_html
     end
   end