Do some HTML escaping on election and candidate names

[selectricity-live] / app / views / election / _candidate_line_edit.rhtml

diff --git a/app/views/election/_candidate_line_edit.rhtml b/app/views/election/_candidate_line_edit.rhtml
old mode 100755 (executable)
new mode 100644 (file)
index 78f8580..61a9f63
--- a/app/views/election/_candidate_line_edit.rhtml
+++ b/app/views/election/_candidate_line_edit.rhtml
@@ -1,6 +1,6 @@
 <% -%>
 <div id="cand<%= @current_candidate.id %>">
-<p><strong><%= @current_candidate.name %></strong>
+<p><strong><%=h @current_candidate.name %></strong>
   (<%= link_to_remote "Delete",
                        :complete => "Element.remove('cand#{@current_candidate.id}')",
                        :url => { :action => :delete_candidate,