From bd0fb88a5201b79a47cb50040ca4533549384b95 Mon Sep 17 00:00:00 2001
From: Rishabh Garg <zrishabhgarg@gmail.com>
Date: Mon, 29 Oct 2018 17:49:46 +0530
Subject: [PATCH] Fixed sanitization of user invited emails for notification
 message (#1060)

no issue

- Escaped email ids string sent to notification message during blog setup

Credits: Antony Garand
---
 ghost/admin/app/controllers/setup/three.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ghost/admin/app/controllers/setup/three.js b/ghost/admin/app/controllers/setup/three.js
index dcb0a18f93..c5d0ef7fc3 100644
--- a/ghost/admin/app/controllers/setup/three.js
+++ b/ghost/admin/app/controllers/setup/three.js
@@ -1,6 +1,7 @@
 /* eslint-disable ghost/ember/alias-model-in-controller */
 import Controller, {inject as controller} from '@ember/controller';
 import DS from 'ember-data';
+import Ember from 'ember';
 import RSVP from 'rsvp';
 import validator from 'npm:validator';
 import {alias} from '@ember/object/computed';
@@ -228,7 +229,7 @@ export default Controller.extend({
         if (erroredEmails.length > 0) {
             invitationsString = erroredEmails.length > 1 ? ' invitations: ' : ' invitation: ';
             message = `Failed to send ${erroredEmails.length} ${invitationsString}`;
-            message += erroredEmails.join(', ');
+            message += Ember.Handlebars.Utils.escapeExpression(erroredEmails.join(', '));
             message += '. Please check your email configuration, see <a href=\'https://docs.ghost.org/docs/mail-config\' target=\'_blank\'>https://docs.ghost.org/v1.0.0/docs/mail-config</a> for instructions';
 
             message = htmlSafe(message);