use h() to avoid XSS in usernames

author Ævar Arnfjörð Bjarmason <avarab@gmail.com>

Thu, 1 Oct 2009 20:02:54 +0000 (20:02 +0000)

committer Ævar Arnfjörð Bjarmason <avarab@gmail.com>

Thu, 1 Oct 2009 20:02:54 +0000 (20:02 +0000)
author Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Thu, 1 Oct 2009 20:02:54 +0000 (20:02 +0000)
committer Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Thu, 1 Oct 2009 20:02:54 +0000 (20:02 +0000)
diff --git a/app/views/user_blocks/edit.html.erb b/app/views/user_blocks/edit.html.erb

index 66123e717959d2f64434e295c042f69b5ea78d0a..c52c94818e2f33fc44fbffe4b335f3636bcd2477 100644 (file)
--- a/app/views/user_blocks/edit.html.erb
+++ b/app/views/user_blocks/edit.html.erb
@@ -8,7 +8,7 @@
    <%= f.error_messages %>
  
    <p>
-    <%= f.label :reason, t('user_block.edit.reason', :name => @user_block.user.display_name) %><br />
+    <%= f.label :reason, t('user_block.edit.reason', :name => h(@user_block.user.display_name)) %><br />
      <%= f.text_area :reason %>
    </p>
    <p>
diff --git a/app/views/user_blocks/new.html.erb b/app/views/user_blocks/new.html.erb

index 3d0d2d0bf754651115639df4569368d6ef8d919e..470d60e8f2c1693a90f0fcf40c6c521df008e2a6 100644 (file)
--- a/app/views/user_blocks/new.html.erb
+++ b/app/views/user_blocks/new.html.erb
@@ -1,4 +1,4 @@
-<h1><%= t('user_block.new.title', :name => @this_user.display_name) %></h1>
+<h1><%= t('user_block.new.title', :name => h(@this_user.display_name)) %></h1>
  
  <% form_for(@user_block) do |f| %>
    <%= f.error_messages %>
author	Ævar Arnfjörð Bjarmason <avarab@gmail.com>
	Thu, 1 Oct 2009 20:02:54 +0000 (20:02 +0000)
committer	Ævar Arnfjörð Bjarmason <avarab@gmail.com>
	Thu, 1 Oct 2009 20:02:54 +0000 (20:02 +0000)
app/views/user_blocks/edit.html.erb		patch \| blob \| history
app/views/user_blocks/new.html.erb		patch \| blob \| history