From cf8bd08a66b7a7db92238a8d5a9e8836fda07871 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Tue, 4 Mar 2008 16:49:12 +0000 Subject: [PATCH] Escape user names in diary views. --- app/views/diary_entry/_diary_comment.rhtml | 2 +- app/views/diary_entry/_diary_entry.rhtml | 2 +- app/views/diary_entry/view.rhtml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/views/diary_entry/_diary_comment.rhtml b/app/views/diary_entry/_diary_comment.rhtml index be621cf5b..2aca51f54 100644 --- a/app/views/diary_entry/_diary_comment.rhtml +++ b/app/views/diary_entry/_diary_comment.rhtml @@ -1,3 +1,3 @@ -

Comment from <%= link_to diary_comment.user.display_name, :controller => 'user', :action => 'view', :display_name => diary_comment.user.display_name %> at <%= diary_comment.created_at %>

+

Comment from <%= link_to h(diary_comment.user.display_name), :controller => 'user', :action => 'view', :display_name => diary_comment.user.display_name %> at <%= diary_comment.created_at %>

<%= htmlize(diary_comment.body) %>
diff --git a/app/views/diary_entry/_diary_entry.rhtml b/app/views/diary_entry/_diary_entry.rhtml index 8ff7afd34..372ec35f7 100644 --- a/app/views/diary_entry/_diary_entry.rhtml +++ b/app/views/diary_entry/_diary_entry.rhtml @@ -3,7 +3,7 @@ <% if diary_entry.latitude and diary_entry.longitude %> Coordinates:
<%= diary_entry.latitude %>; <%= diary_entry.longitude %>
(<%=link_to 'map', :controller => 'site', :action => 'index', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %> / <%=link_to 'edit', :controller => 'site', :action => 'edit', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %>)
<% end %> -Posted by <%= link_to diary_entry.user.display_name, :controller => 'user', :action => 'view', :display_name => diary_entry.user.display_name %> at <%= diary_entry.created_at %>
+Posted by <%= link_to h(diary_entry.user.display_name), :controller => 'user', :action => 'view', :display_name => diary_entry.user.display_name %> at <%= diary_entry.created_at %>
<% if params[:action] == 'list' %> <%= link_to 'Comment on this entry', :action => 'view', :display_name => diary_entry.user.display_name, :id => diary_entry.id, :anchor => 'newcomment' %> | diff --git a/app/views/diary_entry/view.rhtml b/app/views/diary_entry/view.rhtml index ca678c50b..6e1f75a32 100644 --- a/app/views/diary_entry/view.rhtml +++ b/app/views/diary_entry/view.rhtml @@ -1,4 +1,4 @@ -

<%= @entry.user.display_name %>'s diary

+

<%= h(@entry.user.display_name) %>'s diary

<%= render :partial => 'diary_entry', :object => @entry %> -- 2.39.5