]> projects.mako.cc - selectricity-live/blobdiff - app/controllers/quickvote_controller.rb
Merged from jdong; lots of escaping fixes
[selectricity-live] / app / controllers / quickvote_controller.rb
index 0d9eb7be4c934c2a08640ab78a2c5bb99b34849f..bb60b4552b029efff74be54bba9282c7599a671f 100644 (file)
@@ -14,7 +14,7 @@ class QuickvoteController < ApplicationController
       @quickvote = QuickVote.new(params[:quickvote])
       # store the candidate grabbed through ajax and stored in flash
       @quickvote.candidatelist = flash[:candlist]
-      @quickvote.description=CGI.escapeHTML(@quickvote.description)
+      @quickvote.description=@quickvote.description
       # try to save, if it fails, show the page again (the flash should
       # still be intact
       if @quickvote.save
@@ -33,7 +33,7 @@ class QuickvoteController < ApplicationController
   end
 
   def add_candidate
-    candidate_name = CGI.escapeHTML(params[:ajax][:newcandidate])
+    candidate_name = params[:ajax][:newcandidate]
     unless candidate_name.strip.empty?
       if flash.has_key?(:candlist) and flash[:candlist].instance_of?(Array) 
         flash[:candlist] << candidate_name unless flash[:candlist].index(candidate_name)
@@ -156,7 +156,11 @@ class QuickvoteController < ApplicationController
   ###############################################################
 
   def results
-    @election = QuickVote.ident_to_quickvote(params[:ident])
+    unless @election = QuickVote.ident_to_quickvote(params[:ident])
+      flash[:notice] = "Cannot find quickvote #{params[:ident]}."
+      redirect_to :controller => 'site'
+      return
+    end
     @election.results
     @candidates = {}
     @election.candidates.each {|c| @candidates[c.id] = c}

Benjamin Mako Hill || Want to submit a patch?