From a984a27fa09adf24e6b846ec3e412b8d7d95e532 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Mon, 18 Feb 2013 08:04:35 +0100
Subject: [PATCH] Sanitize user input

---
 settings/js/users.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/settings/js/users.js b/settings/js/users.js
index 086b0884a3..63a6204983 100644
--- a/settings/js/users.js
+++ b/settings/js/users.js
@@ -182,7 +182,7 @@ var UserList = {
 			var addGroup = function (select, group) {
 				$('select[multiple]').each(function (index, element) {
 					if ($(element).find('option[value="' + group + '"]').length === 0 && select.data('msid') !== $(element).data('msid')) {
-						$(element).append('<option value="' + group + '">' + group + '</option>');
+						$(element).append('<option value="' + escapeHTML(group) + '">' + escapeHTML(group) + '</option>');
 					}
 				})
 			};
-- 
GitLab