From 056e4f0601803d376c968a61ed30623a15999d6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Wed, 25 Oct 2017 09:08:03 -0400
Subject: [PATCH] #6004

---
 package.json             | 1 +
 src/middleware/header.js | 7 ++++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index aad4a1cade..136d122611 100644
--- a/package.json
+++ b/package.json
@@ -44,6 +44,7 @@
     "ipaddr.js": "^1.5.4",
     "jimp": "0.2.28",
     "jquery": "^3.2.1",
+    "jsesc": "2.5.1",
     "json-2-csv": "^2.1.2",
     "less": "^2.7.2",
     "lodash": "^4.17.4",
diff --git a/src/middleware/header.js b/src/middleware/header.js
index eb4dd0abaa..84dd2dca36 100644
--- a/src/middleware/header.js
+++ b/src/middleware/header.js
@@ -2,6 +2,7 @@
 
 var async = require('async');
 var nconf = require('nconf');
+var jsesc = require('jsesc');
 
 var db = require('../database');
 var user = require('../user');
@@ -60,7 +61,7 @@ module.exports = function (middleware) {
 			bodyClass: data.bodyClass,
 		};
 
-		templateValues.configJSON = JSON.stringify(res.locals.config).replace(/\\"/g, '\\\\"').replace(/'/g, '\\\'').replace(/<\//g, '<\\/');
+		templateValues.configJSON = jsesc(JSON.stringify(res.locals.config), { isScriptContext: true });
 
 		async.waterfall([
 			function (next) {
@@ -127,7 +128,7 @@ module.exports = function (middleware) {
 				results.user.isGlobalMod = results.isGlobalMod;
 				results.user.isMod = !!results.isModerator;
 				results.user.uid = parseInt(results.user.uid, 10);
-				results.user.email = String(results.user.email).replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+				results.user.email = String(results.user.email);
 				results.user['email:confirmed'] = parseInt(results.user['email:confirmed'], 10) === 1;
 				results.user.isEmailConfirmSent = !!results.isEmailConfirmSent;
 
@@ -141,7 +142,7 @@ module.exports = function (middleware) {
 				templateValues.isGlobalMod = results.user.isGlobalMod;
 				templateValues.showModMenu = results.user.isAdmin || results.user.isGlobalMod || results.user.isMod;
 				templateValues.user = results.user;
-				templateValues.userJSON = JSON.stringify(results.user);
+				templateValues.userJSON = jsesc(JSON.stringify(results.user), { isScriptContext: true });
 				templateValues.useCustomCSS = parseInt(meta.config.useCustomCSS, 10) === 1 && meta.config.customCSS;
 				templateValues.customCSS = templateValues.useCustomCSS ? (meta.config.renderedCustomCSS || '') : '';
 				templateValues.useCustomJS = parseInt(meta.config.useCustomJS, 10) === 1;