Add a few more escape calls to prevent nasty HTML being rendered. Also

[rails.git] / app / views / message / read.rhtml

diff --git a/app/views/message/read.rhtml b/app/views/message/read.rhtml
index 4117057d006388f48ec7a7e94de19007df541216..b3dcd1f23a84d3fb562c7603bef3b444e73f22bf 100644 (file)
--- a/app/views/message/read.rhtml
+++ b/app/views/message/read.rhtml
@@ -9,7 +9,7 @@
   </tr>
   <tr>
     <th align="right">Subject</th>
-    <td><%= @message.title %></td>
+    <td><%= h(@message.title) %></td>
   </tr>
   <tr>
     <th align="right">Date</th>
@@ -17,7 +17,7 @@
   </tr>
   <tr>
     <th></th>
-    <td><%= @message.body %></td>
+    <td><%= sanitize(@message.body) %></td>
   </tr>
 </table>
 
@@ -42,7 +42,7 @@
   </tr>
   <tr>
     <th align="right">Subject</th>
-    <td><%= @message.title %></td>
+    <td><%= h(@message.title) %></td>
   </tr>
   <tr>
     <th align="right">Date</th>
@@ -50,7 +50,7 @@
   </tr>
   <tr>
     <th></th>
-    <td><%= @message.body %></td>
+    <td><%= sanitize(@message.body) %></td>
   </tr>
 </table>