From fb0b35d85dfa8d53a977ae148635344dc03f1b3f Mon Sep 17 00:00:00 2001
From: Dave Hulbert <dave1010@gmail.com>
Date: Wed, 24 Sep 2025 16:34:01 +0100
Subject: [PATCH] Escape user data in server-data.rst

Escape user data for HTML attributes to prevent XSS.

This is already done in the second code snippet below.
---
 frontend/server-data.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/server-data.rst b/frontend/server-data.rst
index 479c4ec21c2..62e60976111 100644
--- a/frontend/server-data.rst
+++ b/frontend/server-data.rst
@@ -10,7 +10,7 @@ them later in JavaScript. For example:
 
     <div class="js-user-rating"
         data-is-authenticated="{{ app.user ? 'true' : 'false' }}"
-        data-user="{{ app.user|serialize(format = 'json') }}"
+        data-user="{{ app.user|serialize(format = 'json')|e('html_attr') }}"
     >
         <!-- ... -->
     </div>