From 1fefc8d427e62ccb59f28a8a1de98fa26723a58c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Mon, 26 Sep 2016 17:05:30 +0300
Subject: [PATCH] backport xss fix

---
 src/controllers/admin/flags.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/controllers/admin/flags.js b/src/controllers/admin/flags.js
index 340eda0a9d..b94c282094 100644
--- a/src/controllers/admin/flags.js
+++ b/src/controllers/admin/flags.js
@@ -1,6 +1,7 @@
 "use strict";
 
 var async = require('async');
+var validator = require('validator');
 var posts = require('../../posts');
 var analytics = require('../../analytics');
 
@@ -36,7 +37,7 @@ flagsController.get = function(req, res, next) {
 			posts: results.posts,
 			analytics: results.analytics,
 			next: stop + 1,
-			byUsername: byUsername,
+			byUsername: validator.escape(String(byUsername)),
 			title: '[[pages:flagged-posts]]'
 		};
 		res.render('admin/manage/flags', data);