[CVE-2015-1866] Ember.js XSS Vulnerability With {{view "select"}} Options
Data passed as the label of select options may not be escaped before being passed to the browser.
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, a change made to the implementation of the select view means that any user-supplied data bound to an option's label will not be escaped correctly.
In applications that use Ember's select view and pass user-supplied content to the label, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain ("XSS").
All users running an affected release and binding user-supplied data to the select options should either upgrade or use one of the workarounds immediately.
Ensure that you escape any user-supplied value that you bind to an option label. For example, if you bind a label:
Ensure that you escape the `name` value of each item `people` using Ember.Handlebars.Utils.escapeExpression:
This vulnerability was reported to us by Phillip Haines of Zestia. Many thanks for working with us on identifying the issue and on the advisory process.