From: Ævar Arnfjörð Bjarmason Date: Thu, 1 Oct 2009 20:02:54 +0000 (+0000) Subject: use h() to avoid XSS in usernames X-Git-Tag: live~7116^2~15 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/78e0ec74f74721a2652b7c950d0aa501363bceef?hp=e0ece007381036874d05423119f8a6cc8e934523 use h() to avoid XSS in usernames --- diff --git a/app/views/user_blocks/edit.html.erb b/app/views/user_blocks/edit.html.erb index 66123e717..c52c94818 100644 --- a/app/views/user_blocks/edit.html.erb +++ b/app/views/user_blocks/edit.html.erb @@ -8,7 +8,7 @@ <%= f.error_messages %>

- <%= f.label :reason, t('user_block.edit.reason', :name => @user_block.user.display_name) %>
+ <%= f.label :reason, t('user_block.edit.reason', :name => h(@user_block.user.display_name)) %>
<%= f.text_area :reason %>

diff --git a/app/views/user_blocks/new.html.erb b/app/views/user_blocks/new.html.erb index 3d0d2d0bf..470d60e8f 100644 --- a/app/views/user_blocks/new.html.erb +++ b/app/views/user_blocks/new.html.erb @@ -1,4 +1,4 @@ -

<%= t('user_block.new.title', :name => @this_user.display_name) %>

+

<%= t('user_block.new.title', :name => h(@this_user.display_name)) %>

<% form_for(@user_block) do |f| %> <%= f.error_messages %>