Fix: prevent XSS on cc change form.

dblock · Oct 31, 2024 · 5deee56 · 5deee56
1 parent a2d94a5
commit 5deee56
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/public/subscribe.html.erb b/public/subscribe.html.erb
@@ -45,7 +45,7 @@
           };
 
           var coupon = {
-            code: <%= coupon ? "'#{coupon.id}'" : 'null' %>
+            code: "<%= coupon && coupon.id %>"
           };
 
           var subscription = {

diff --git a/public/update_cc.html.erb b/public/update_cc.html.erb
@@ -41,9 +41,9 @@
       <script>
         $(document).ready(function() {
           var data = {
-            stripe_token: "<%= stripe_token %>",
-            stripe_token_type: "<%= stripe_token_type %>",
-            stripe_email: "<%= stripe_email %>",
+            stripe_token: "<%=h stripe_token %>",
+            stripe_token_type: "<%=h stripe_token_type %>",
+            stripe_email: "<%=h stripe_email %>",
             team_id: "<%= team.id %>"
           };