From 81bf6a1f444cecce723ef9a06336667f48b789d2 Mon Sep 17 00:00:00 2001
From: Fabien O'Carroll <fabien@allou.is>
Date: Tue, 6 Nov 2018 17:43:55 +0700
Subject: [PATCH] Fixed sanitization of user invited emails for notification
 message (#1060) (1.x backport)

no issue

- Escaped email ids string sent to notification message during blog setup

Credits: Antony Garand
---
 app/controllers/setup/three.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/controllers/setup/three.js b/app/controllers/setup/three.js
index 022b3a03b..b1dfc2465 100644
--- a/app/controllers/setup/three.js
+++ b/app/controllers/setup/three.js
@@ -1,6 +1,7 @@
 /* eslint-disable ghost/ember/alias-model-in-controller */
 import Controller, {inject as controller} from '@ember/controller';
 import DS from 'ember-data';
+import Ember from 'ember';
 import RSVP from 'rsvp';
 import validator from 'npm:validator';
 import {alias} from '@ember/object/computed';
@@ -228,7 +229,7 @@ export default Controller.extend({
         if (erroredEmails.length > 0) {
             invitationsString = erroredEmails.length > 1 ? ' invitations: ' : ' invitation: ';
             message = `Failed to send ${erroredEmails.length} ${invitationsString}`;
-            message += erroredEmails.join(', ');
+            message += Ember.Handlebars.Utils.escapeExpression(erroredEmails.join(', '));
             message += '. Please check your email configuration, see <a href=\'https://docs.ghost.org/v1.0.0/docs/mail-config\' target=\'_blank\'>https://docs.ghost.org/v1.0.0/docs/mail-config</a> for instructions';
 
             message = htmlSafe(message);