Merge pull request #3767 from overleaf/jpa-xss-9

[views] mitigate Angular XSS in email confirmation post gateway

GitOrigin-RevId: 11cd752d520054e448b3eeea431fe27f3c02fa00

services/web/app/views/user/confirm_email.pug

@@ -18,11 +18,11 @@ block content
 							ng-cloak
 						)
 							input(type="hidden", name="_csrf", value=csrfToken)
-							input(type="hidden", name="token", value=token)
+							input(type="hidden", name="token", value=token ng-non-bindable)
 							form-messages(for="confirmEmailForm")
 								.alert.alert-success(ng-show="confirmEmailForm.response.success")
 									| Thank you, your email is now confirmed
 							p.text-center(ng-show="!confirmEmailForm.response.success && !confirmEmailForm.response.error")
 								i.fa.fa-fw.fa-spin.fa-spinner(aria-hidden="true")
-								| 
+								|
 								| Confirming your email…