Possible security hole in confirmation dialog due to use of SpaceBars.SafeString()

[derwok]

Example: create a meeting series with this name: <div onclick="alert(1);">test</div>

Then delete the meeting series. In the confirmation dialog this code will make the name clickable:

 'getContent': function() {
        // SafeString allows us to pass html content
        return Spacebars.SafeString(Session.get("confirmationDialogContent"));
    },

[felixble]

We extend our confirmation dialog so that we can pass a template name and data context. Then the confirmation dialog uses blaze to render the template and the usage of SpaceBars.SafeString() is only necessary to inject the html produced by blaze which is safe.