projects / selectricity-live / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add a bunch of fixes to HTML escaping, and a test case for it
[selectricity-live] / app / views / quickvote / _result.rhtml
diff --git a/app/views/quickvote/_result.rhtml b/app/views/quickvote/_result.rhtml
index e10890a7a92d80d5fbe11534eeb944d95e2b2828..b64322455fefcd8c554d5c1f362232c824db9df4 100644 (file)
--- a/app/views/quickvote/_result.rhtml
+++ b/app/views/quickvote/_result.rhtml
@@ -1,10 +1,9 @@
 <% %>
 <% if result.winner? and result.winners.length == 1%>
   <p><em>The winner is:
-     <strong><%= @candidates[result.winner].name.capitalize %></strong></em></p>
+     <strong><%=h @candidates[result.winner].name.capitalize %></strong></em></p>
 <% elsif result.winner? and result.winners.length > 1 %>
-  <p><em>There was a tie. The winners are: <strong><%=
-  result.winners.collect {|w| @candidates[w].to_s.capitalize}.join(", ") %></strong></em></p>
+  <p><em>There was a tie. The winners are: <strong><%=h( result.winners.collect {|w| @candidates[w].to_s.capitalize}.join(", ") )%></strong></em></p>
 <% else %>
   <p><em>There is no winner using this method. </em></strong></p>
 <% end %>
Voting machinery for the masses!

Benjamin Mako Hill || Want to submit a patch?