projects
/
selectricity-live
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Add a bunch of fixes to HTML escaping, and a test case for it
[selectricity-live]
/
app
/
views
/
quickvote
/
_result.rhtml
diff --git
a/app/views/quickvote/_result.rhtml
b/app/views/quickvote/_result.rhtml
index e10890a7a92d80d5fbe11534eeb944d95e2b2828..b64322455fefcd8c554d5c1f362232c824db9df4 100644
(file)
--- a/
app/views/quickvote/_result.rhtml
+++ b/
app/views/quickvote/_result.rhtml
@@
-1,10
+1,9
@@
<% %>
<% if result.winner? and result.winners.length == 1%>
<p><em>The winner is:
<% %>
<% if result.winner? and result.winners.length == 1%>
<p><em>The winner is:
- <strong><%= @candidates[result.winner].name.capitalize %></strong></em></p>
+ <strong><%=
h
@candidates[result.winner].name.capitalize %></strong></em></p>
<% elsif result.winner? and result.winners.length > 1 %>
<% elsif result.winner? and result.winners.length > 1 %>
- <p><em>There was a tie. The winners are: <strong><%=
- result.winners.collect {|w| @candidates[w].to_s.capitalize}.join(", ") %></strong></em></p>
+ <p><em>There was a tie. The winners are: <strong><%=h( result.winners.collect {|w| @candidates[w].to_s.capitalize}.join(", ") )%></strong></em></p>
<% else %>
<p><em>There is no winner using this method. </em></strong></p>
<% end %>
<% else %>
<p><em>There is no winner using this method. </em></strong></p>
<% end %>
Benjamin Mako Hill
||
Want to submit a patch?