From e33dfe3c554d05fc2f5c13fa9b72f17bb1e11986 Mon Sep 17 00:00:00 2001
From: barisusakli <barisusakli@gmail.com>
Date: Tue, 30 Aug 2016 13:17:48 +0300
Subject: [PATCH] closes #4997

---
 src/controllers/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/controllers/index.js b/src/controllers/index.js
index d39352e6d0..2689d58cbf 100644
--- a/src/controllers/index.js
+++ b/src/controllers/index.js
@@ -109,7 +109,7 @@ Controllers.login = function(req, res, next) {
 	if (req.query.error === 'csrf-invalid') {
 		errorText = '[[error:csrf-invalid]]';
 	} else if (req.query.error) {
-		errorText = req.query.error;
+		errorText = validator.escape(req.query.error);
 	}
 
 	data.alternate_logins = loginStrategies.length > 0;