<tr>
<th></th>
<% for candidate in @election.candidates.sort %>
- <th><%= candidate.name %></th>
+ <th><%=h candidate.name %></th>
<% end %>
</tr>
<% for cand1 in @election.candidates.sort %>
<tr>
- <th><%= cand1.name %></th>
+ <th><%=h cand1.name %></th>
<% for cand2 in @election.candidates.sort %>
<td>
<% if cand1 == cand2 %>