From bb5a9e815313f1f7c91338e171bfe5acb8f3e346 Mon Sep 17 00:00:00 2001
From: Oliver Eyton-Williams <ojeytonwilliams@gmail.com>
Date: Mon, 13 Jan 2020 10:56:29 +0100
Subject: [PATCH] fix(security): treat messages as text, not HTML (#38062)

---
 client/src/components/Flash/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/src/components/Flash/index.js b/client/src/components/Flash/index.js
index c312b33d1b..2996487f4f 100644
--- a/client/src/components/Flash/index.js
+++ b/client/src/components/Flash/index.js
@@ -11,7 +11,7 @@ function Flash({ flashMessage, onClose }) {
     <TransitionGroup>
       <CSSTransition classNames='flash-message' key={id} timeout={500}>
         <Alert bsStyle={type} className='flash-message' onDismiss={onClose}>
-          <div dangerouslySetInnerHTML={{ __html: message }} />
+          {message}
         </Alert>
       </CSSTransition>
     </TransitionGroup>