From e2ac1d1470b97efc2e23d389e5b889d0051dc014 Mon Sep 17 00:00:00 2001
From: Juanfran <juanfran.alcantara@kaleidos.net>
Date: Tue, 12 Jan 2016 08:14:19 +0100
Subject: [PATCH] prevent delete role xss

---
 app/coffee/modules/common/confirm.coffee | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/coffee/modules/common/confirm.coffee b/app/coffee/modules/common/confirm.coffee
index b309df4a..be7452cc 100644
--- a/app/coffee/modules/common/confirm.coffee
+++ b/app/coffee/modules/common/confirm.coffee
@@ -95,22 +95,23 @@ class ConfirmService extends taiga.Service
         el = angular.element(lightboxSelector)
 
         # Render content
-        el.find(".title").html(title)
-        el.find(".subtitle").html(subtitle)
+        el.find(".title").text(title)
+        el.find(".subtitle").text(subtitle)
 
         if replacement
-            el.find(".replacement").html(replacement)
+            el.find(".replacement").text(replacement)
         else
             el.find(".replacement").remove()
 
         if warning
-            el.find(".warning").html(warning)
+            el.find(".warning").text(warning)
         else
             el.find(".warning").remove()
 
         choicesField = el.find(".choices")
         choicesField.html('')
         _.each choices, (value, key) ->
+            value = _.escape(value)
             choicesField.append(angular.element("<option value='#{key}'>#{value}</option>"))
 
         # Assign event handlers