projects / selectricity-live / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Do some HTML escaping on election and candidate names
[selectricity-live] / app / views / election / _winner.rhtml
diff --git a/app/views/election/_winner.rhtml b/app/views/election/_winner.rhtml
index 531e0d2bf9d23161d6a299fbf91183493282a6db..0e55aa22e22796c5bebb010f05d69929a17e616e 100644 (file)
--- a/app/views/election/_winner.rhtml
+++ b/app/views/election/_winner.rhtml
@@ -6,7 +6,7 @@
 
   <ul>
   <% for candidate in @winners %>
-    <li><%= @candidates_by_id[candidate].name %></li>
+    <li><%=h @candidates_by_id[candidate].name %></li>
   <% end %>
   </ul>
 
@@ -14,7 +14,7 @@
 
   <% winner = @winners[0] %>
   <p>The winner of the election was:
-     <strong><%= @candidates_by_id[winner].name %></strong>
+     <strong><%=h @candidates_by_id[winner].name %></strong>
   </p>
 
 <% end %>
Voting machinery for the masses!

Benjamin Mako Hill || Want to submit a patch?