Do some HTML escaping on election and candidate names

[selectricity-live] / app / views / election / _candidate_line_edit.rhtml

diff --git a/app/views/election/_candidate_line_edit.rhtml b/app/views/election/_candidate_line_edit.rhtml
index 78f8580655b79453930bcdf8638fcb18fed840c3..61a9f6324cde461485f414975bd5f7cfdbd29783 100644 (file)
--- a/app/views/election/_candidate_line_edit.rhtml
+++ b/app/views/election/_candidate_line_edit.rhtml
@@ -1,6 +1,6 @@
 <% -%>
 <div id="cand<%= @current_candidate.id %>">
-<p><strong><%= @current_candidate.name %></strong>
+<p><strong><%=h @current_candidate.name %></strong>
   (<%= link_to_remote "Delete",
                        :complete => "Element.remove('cand#{@current_candidate.id}')",
                        :url => { :action => :delete_candidate,