Add a bunch of fixes to HTML escaping, and a test case for it

[selectricity-live] / app / views / quickvote / results.rhtml

diff --git a/app/views/quickvote/results.rhtml b/app/views/quickvote/results.rhtml
index c49d68201a48e10363c14811cad171a6abe6dd39..799459df0f9704d5079271d4a37e34fa979a3152 100644 (file)
--- a/app/views/quickvote/results.rhtml
+++ b/app/views/quickvote/results.rhtml
@@ -4,7 +4,7 @@
 
 <% if @election.shortdesc %>
   <p><strong>Description:</strong></p>
-  <blockquote><em><%= @election.shortdesc %></em>
+  <blockquote><em><%=h @election.shortdesc %></em>
     <% if @election.longdesc -%>
       <br />
       <%= h(@election.longdesc) -%>
@@ -16,7 +16,7 @@
 
 <ol>
   <% for candidate in @election.candidates.sort %>
-    <li><%= candidate.name.capitalize %></li>
+    <li><%=h candidate.name.capitalize %></li>
   <% end %>
 </ol>
 
@@ -31,7 +31,7 @@
 <h3>Schulze Method Results</h3>
 <%= render :partial => 'result', :object => @election.ssd_result %>
 
-<div class="rbmoreinfo"
+<div class="rbmoreinfo">
 <h4>About the Schulze Method</h4>
 
 <p>The <%= link_to "Schulze method",
@@ -50,7 +50,7 @@ Beatpath Winner, Path Voting, and Path Winner.</p>
 <h3>Plurality Results</h3>
 <%= render :partial => 'result', :object => @election.plurality_result %>
 
-<div class="rbmoreinfo"
+<div class="rbmoreinfo">
 <h4>About Plurality Voting</h4>
 
 <p><%= link_to "Plurality voting",
@@ -70,7 +70,7 @@ voting.</p>
 <p><font size="-1">(This algorithm assumes that top two choices are "approved.")</font></p>
 <%= render :partial => 'result', :object => @election.approval_result %>
 
-<div class="rbmoreinfo"
+<div class="rbmoreinfo">
 <h4>About Approval Voting</h4>
 
 <p><%= link_to "Approval voting",
@@ -88,7 +88,7 @@ accept or not.</p>
 <h3>Simple Condorcet Results</h3>
 <%= render :partial => 'result', :object => @election.condorcet_result %>
 
-<div class="rbmoreinfo"
+<div class="rbmoreinfo">
 <h4>About Simple Cordorcet Voting</h4>
 
 <p><%= link_to "Condorcet",
@@ -108,7 +108,7 @@ another Condorcet system.</p>
 <h3>Borda Count Results</h3>
 <%= render :partial => 'result', :object => @election.borda_result %>
 
-<div class="rbmoreinfo"
+<div class="rbmoreinfo">
 <h4>About Borda Count</h4>
 
 <p><%= link_to "Borda count",
@@ -125,7 +125,7 @@ points is the winner.</p>
 <div class="resultbox">
 <h3>Instant Runoff (IRV) Results</h3>
 
-<div class="rbmoreinfo"
+<div class="rbmoreinfo">
 <h4>About Instant Runoff Voting</h4>
 
 <p><%= link_to "Instant runoff voting",
@@ -159,16 +159,16 @@ by several other names.</p>
         <% raise ArgumentError.new, "Local Server" if voter.ipaddress == "127.0.0.1" %>
         <% raise ArgumentError.new, "XML-RPC Voter" if voter.ipaddress == "XMLRPC Request" %>
         <% w= Whois::Whois.new(IPAddr.new(voter.ipaddress).to_s,true)%>
-        <%=(w.host == nil or w.host.empty?) ? voter.ipaddress : w.host%>
+        <%=h((w.host == nil or w.host.empty?) ? voter.ipaddress : w.host)%>
       </td>
       <td>
         <%w.search_whois%>
-        <%= (w.all.grep(/^(OrgName|org-name)/)[0] or "").sub(/^(OrgName|org-name)\:/,'').strip -%> - <%=  (w.all.grep(/^(NetName|netname)/)[0] or "").sub(/^(NetName|netname)\:/,'').strip %>
+        <%=h (w.all.grep(/^(OrgName|org-name)/)[0] or "").sub(/^(OrgName|org-name)\:/,'').strip -%> - <%=  (w.all.grep(/^(NetName|netname)/)[0] or "").sub(/^(NetName|netname)\:/,'').strip %>
     
     <% rescue ArgumentError => err %>
-      <%= err %>
+      <%=h err %>
     </td>
-    <td><%= err%>
+    <td><%=h err%>
     <% end %>
     </td>
   <td><%= voter.vote.votestring %></td>