Summary:
Developer found a bug in escape_javascript related to ES6 “template literals” aka backtick-strings and reported it through HackerOne. It took over a year for a patch to be released.
Rails on HackerOne (the report referenced here shows as awarded but still not officially disclosed)
I am curious who’s paying for the HackerOne bounties, and would like to say THANK YOU to whoever that is!
