From 539d323f04ef95301ac6bce1d269d25d1e048aa8 Mon Sep 17 00:00:00 2001
From: Aaron Wells <aaronw@catalyst.net.nz>
Date: Wed, 8 Jul 2015 12:31:12 +1200
Subject: [PATCH] HTML-escape page title in watchlist JSON response (Bug
 1472439)

Change-Id: I445c763b09928ce03ae8561605e593bc23bba122
---
 htdocs/view/togglewatchlist.json.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/view/togglewatchlist.json.php b/htdocs/view/togglewatchlist.json.php
index b61f600b07..81446fa452 100644
--- a/htdocs/view/togglewatchlist.json.php
+++ b/htdocs/view/togglewatchlist.json.php
@@ -31,7 +31,7 @@ if (!can_view_view($view)) {
     json_reply('local', $result);
 }
 
-$title = $view->get('title');
+$title = hsc($view->get('title'));
 
 if (get_record('usr_watchlist_view', 'usr', $data->usr, 'view', $viewid)) {
     if (!delete_records('usr_watchlist_view', 'usr', $data->usr, 'view', $viewid)) {
-- 
GitLab