Do some HTML escaping on election and candidate names

[selectricity-live] / app / views / election / _candidate_line_edit.rhtml

diff --git a/app/views/election/_candidate_line_edit.rhtml b/app/views/election/_candidate_line_edit.rhtml
index ea20a4fd6e6ab718511c535f4f6700371cf510ff..61a9f6324cde461485f414975bd5f7cfdbd29783 100644 (file)
--- a/app/views/election/_candidate_line_edit.rhtml
+++ b/app/views/election/_candidate_line_edit.rhtml
@@ -1,6 +1,6 @@
 <% -%>
 <div id="cand<%= @current_candidate.id %>">
-<p><strong><%= @current_candidate.name %></strong>
+<p><strong><%=h @current_candidate.name %></strong>
   (<%= link_to_remote "Delete",
                        :complete => "Element.remove('cand#{@current_candidate.id}')",
                        :url => { :action => :delete_candidate,
@@ -12,13 +12,18 @@
       <% if @current_candidate.picture? %>
       <img src="<%= url_for :action => 'candidate_picture',
                             :id => @current_candidate.id %>"
-           align="top" />
+           align="top" width="80px" />
       <% end %>
       </td>
+      <% if @current_candidate.description.length > 0 %>
       <td valign="top">
         <em>Description:</em><br />
          <%= h(@current_candidate.description) %>
-    </td></tr></table>
+      </td>
+      <% else %>
+      <td></td>
+      <% end %>
+    </tr></table>
     </blockquote>
 </p>
 </div>