From 742ddd358be418ab7eb4dc8c80230b0f7b30f912 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Fri, 22 Jun 2018 07:33:18 -0400
Subject: [PATCH] escape url

---
 public/src/modules/pictureCropper.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/src/modules/pictureCropper.js b/public/src/modules/pictureCropper.js
index 5a02962d1a..60e7f2708c 100644
--- a/public/src/modules/pictureCropper.js
+++ b/public/src/modules/pictureCropper.js
@@ -33,7 +33,7 @@ define('pictureCropper', ['translator', 'cropper', 'benchpress'], function (tran
 	module.handleImageCrop = function (data, callback) {
 		$('#crop-picture-modal').remove();
 		Benchpress.parse('modals/crop_picture', {
-			url: data.url,
+			url: utils.escapeHTML(data.url),
 		}, function (cropperHtml) {
 			translator.translate(cropperHtml, function (translated) {
 				var cropperModal = $(translated);