Thread:Manuel de la Fuente/@comment-188432-20180123175123/@comment-188432-20180125004727

Hey :) So, due to time zone differences amongst staff members, we were having further discussions about your code, even after it got approved. And we discovered a vulnerability we'd like for you to address before this code grows too much more. For that reason, I've rejected your latest revision.

We're worried that you're getting JSON values from the Discussions service, and those values are therefore not HTML escaped. So just getting the username from the service can be a worry, because it could theoretically contain unescaped HTML.

Could you please go back through your code and wrap all the values drawn from the Discussions service in  so that we're properly protecting against unescaped HTML? Thanks :)