>From 1ef28bf265608d3554b1c19d5e55cce8abb79501 Mon Sep 17 00:00:00 2001
From: Holger Just <holger@plan.io>
Date: Mon, 16 Feb 2015 14:32:19 +0100
Subject: [PATCH] Fix potential XSS in flash rendering

---
 app/controllers/account_controller.rb | 2 +-
 app/controllers/admin_controller.rb   | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 2ad7af6..57e08c3 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -293,7 +293,7 @@ class AccountController < ApplicationController
     token = Token.new(:user => user, :action => "register")
     if user.save and token.save
       Mailer.register(token).deliver
-      flash[:notice] = l(:notice_account_register_done, :email => user.mail)
+      flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail))
       redirect_to signin_path
     else
       yield if block_given?
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index f3d0222..d7a40f9 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -51,7 +51,7 @@ class AdminController < ApplicationController
         Redmine::DefaultData::Loader::load(params[:lang])
         flash[:notice] = l(:notice_default_data_loaded)
       rescue Exception => e
-        flash[:error] = l(:error_can_t_load_default_data, e.message)
+        flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message))
       end
     end
     redirect_to admin_path
@@ -63,9 +63,9 @@ class AdminController < ApplicationController
     ActionMailer::Base.raise_delivery_errors = true
     begin
       @test = Mailer.test_email(User.current).deliver
-      flash[:notice] = l(:notice_email_sent, User.current.mail)
+      flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail))
     rescue Exception => e
-      flash[:error] = l(:notice_email_error, Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup))
+      flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)))
     end
     ActionMailer::Base.raise_delivery_errors = raise_delivery_errors
     redirect_to settings_path(:tab => 'notifications')
-- 
2.2.2