-<% display_name = (User.find_by_id(params[:user_id])).display_name %>
+<% user_id = params[:user_id] || @user_id %>
+<% display_name = User.find_by_id(user_id).display_name %>
-<h2>Send a new message to <%= display_name %></h2>
+<h2>Send a new message to <%= h(display_name) %></h2>
<% if params[:display_name] %>
-<p>Writing a new message to <%= params[:display_name] %></p>
+<p>Writing a new message to <%= h(params[:display_name]) %></p>
<p>TODO: drop down box of your friends</p>
<%end%>
<%= error_messages_for 'message' %>
-<% form_for :message do |f| %>
+<% form_for :message, :url => { :action => "new", :user_id => user_id } do |f| %>
<table>
<tr valign="top">
<th>Subject</th>
- <td><%= f.text_field :title, :size => 60 %></td>
+ <td><%= f.text_field :title, :size => 60, :value => @title %></td>
</tr>
<tr valign="top">
<th>Body</th>
- <td><%= f.text_area :body, :cols => 80 %></td>
+ <td><%= f.text_area :body, :cols => 80, :value => @body %></td>
</tr>
<tr>
<th></th>