From fdd85140587799a442edb9f3ca1b8ecaf4ea0bb9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Tue, 30 Aug 2016 13:18:40 +0300
Subject: [PATCH] backport https://github.com/NodeBB/NodeBB/issues/4997

---
 src/controllers/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/controllers/index.js b/src/controllers/index.js
index bd6daa6581..f0b9547c0d 100644
--- a/src/controllers/index.js
+++ b/src/controllers/index.js
@@ -109,7 +109,7 @@ Controllers.login = function(req, res, next) {
 	if (req.query.error === 'csrf-invalid') {
 		errorText = '[[error:csrf-invalid]]';
 	} else if (req.query.error) {
-		errorText = req.query.error;
+		errorText = validator.escape(String(req.query.error));
 	}
 
 	data.alternate_logins = loginStrategies.length > 0;