From e75939c08372c47529578a0649a0cbdb5379814b Mon Sep 17 00:00:00 2001
From: Hannah Wolfe <erisds@gmail.com>
Date: Sun, 15 Feb 2015 16:51:46 +0000
Subject: [PATCH] Mark html notifications as html-safe, else escape

no issue

- Use the double-tash escaping output for notification messages
- Mark known and trusted html notifications as html-safe

Credits: Abdel Adim Oisif
---
 core/client/mixins/editor-base-controller.js         | 4 ++--
 core/client/mixins/validation-engine.js              | 9 ++++++---
 core/client/templates/components/gh-notification.hbs | 2 +-
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/core/client/mixins/editor-base-controller.js b/core/client/mixins/editor-base-controller.js
index c6f90d2c7d..7a87b08107 100644
--- a/core/client/mixins/editor-base-controller.js
+++ b/core/client/mixins/editor-base-controller.js
@@ -197,7 +197,7 @@ EditorControllerMixin = Ember.Mixin.create(MarkerManager, {
         if (status === 'published') {
             message += '&nbsp;<a href="' + path + '">View ' + this.get('postOrPage') + '</a>';
         }
-        this.notifications.showSuccess(message, {delayed: delay});
+        this.notifications.showSuccess(message.htmlSafe(), {delayed: delay});
     },
 
     showErrorNotification: function (prevStatus, status, errors, delay) {
@@ -206,7 +206,7 @@ EditorControllerMixin = Ember.Mixin.create(MarkerManager, {
 
         message += '<br />' + error;
 
-        this.notifications.showError(message, {delayed: delay});
+        this.notifications.showError(message.htmlSafe(), {delayed: delay});
     },
 
     shouldFocusTitle: Ember.computed.alias('model.isNew'),
diff --git a/core/client/mixins/validation-engine.js b/core/client/mixins/validation-engine.js
index bc58b71c3d..ec01053687 100644
--- a/core/client/mixins/validation-engine.js
+++ b/core/client/mixins/validation-engine.js
@@ -29,12 +29,15 @@ function formatErrors(errors, opts) {
         // get the validator's error messages from the array.
         // normalize array members to map to strings.
         message = errors.map(function (error) {
+            var errorMessage;
             if (typeof error === 'string') {
-                return error;
+                errorMessage = error;
+            } else {
+                errorMessage = error.message;
             }
 
-            return error.message;
-        }).join('<br />');
+            return Ember.Handlebars.Utils.escapeExpression(errorMessage);
+        }).join('<br />').htmlSafe();
     } else if (errors instanceof Error) {
         message += errors.message || '.';
     } else if (typeof errors === 'object') {
diff --git a/core/client/templates/components/gh-notification.hbs b/core/client/templates/components/gh-notification.hbs
index e239c20a04..80e7869bc7 100644
--- a/core/client/templates/components/gh-notification.hbs
+++ b/core/client/templates/components/gh-notification.hbs
@@ -1,6 +1,6 @@
 <section {{bind-attr class=":js-notification typeClass"}}>
     <span class="notification-message">
-        {{{message.message}}}
+        {{message.message}}
     </span>
     <button class="close" {{action "closeNotification"}}><span class="hidden">Close</span></button>
 </section>
\ No newline at end of file