- < 1.10.0
- ~> 1.10.1
- ~> 1.11.2
- >= 1.12.0
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, a change made to the implementation of the select view means that any user-supplied data bound to an option’s label will not be escaped correctly.
All users running an affected release and binding user-supplied data to the select options should either upgrade or use one of the workarounds immediately.