Do some HTML escaping on election and candidate names

author John Dong <jdong@mit.edu>

Wed, 29 Aug 2007 21:26:14 +0000 (17:26 -0400)

committer John Dong <jdong@mit.edu>

Wed, 29 Aug 2007 21:26:14 +0000 (17:26 -0400)
author John Dong <jdong@mit.edu>
Wed, 29 Aug 2007 21:26:14 +0000 (17:26 -0400)
committer John Dong <jdong@mit.edu>
Wed, 29 Aug 2007 21:26:14 +0000 (17:26 -0400)
diff --git a/app/views/election/_candidate_line.rhtml b/app/views/election/_candidate_line.rhtml

index 5145b88878e78add5767e0890644ac76b94cbaad..870a2de03d6bb977c9776abd745f7bd66c671d2a 100644 (file)
--- a/app/views/election/_candidate_line.rhtml
+++ b/app/views/election/_candidate_line.rhtml
@@ -1,6 +1,6 @@
  <% -%>
  <div id="cand<%= @current_candidate.id %>">
-  <li><%= @current_candidate.name -%>
+  <li><%=h @current_candidate.name -%>
      <% if @show_details %>
        (<%= link_to_remote "Hide Details",
                           :update => "cand#{@current_candidate.id}",
diff --git a/app/views/election/_candidate_line_edit.rhtml b/app/views/election/_candidate_line_edit.rhtml

index 78f8580655b79453930bcdf8638fcb18fed840c3..61a9f6324cde461485f414975bd5f7cfdbd29783 100644 (file)
--- a/app/views/election/_candidate_line_edit.rhtml
+++ b/app/views/election/_candidate_line_edit.rhtml
@@ -1,6 +1,6 @@
  <% -%>
  <div id="cand<%= @current_candidate.id %>">
-<p><strong><%= @current_candidate.name %></strong>
+<p><strong><%=h @current_candidate.name %></strong>
    (<%= link_to_remote "Delete",
                         :complete => "Element.remove('cand#{@current_candidate.id}')",
                         :url => { :action => :delete_candidate,
diff --git a/app/views/election/_winner.rhtml b/app/views/election/_winner.rhtml

index 531e0d2bf9d23161d6a299fbf91183493282a6db..0e55aa22e22796c5bebb010f05d69929a17e616e 100644 (file)
--- a/app/views/election/_winner.rhtml
+++ b/app/views/election/_winner.rhtml
@@ -6,7 +6,7 @@
  
    <ul>
    <% for candidate in @winners %>
-    <li><%= @candidates_by_id[candidate].name %></li>
+    <li><%=h @candidates_by_id[candidate].name %></li>
    <% end %>
    </ul>
  
@@ -14,7 +14,7 @@
  
    <% winner = @winners[0] %>
    <p>The winner of the election was:
-     <strong><%= @candidates_by_id[winner].name %></strong>
+     <strong><%=h @candidates_by_id[winner].name %></strong>
    </p>
  
  <% end %>
diff --git a/app/views/election/_winner_details.rhtml b/app/views/election/_winner_details.rhtml

index 0903952eb6e386b3368d4e29effa911c9504580b..36877ae4c7fd1163bb245d66b3cec4fff756d482 100644 (file)
--- a/app/views/election/_winner_details.rhtml
+++ b/app/views/election/_winner_details.rhtml
@@ -6,12 +6,12 @@ preferred to any other candidates is listed here:</p>
  <tr>
  <th></th>
  <% for candidate in @election.candidates.sort %>
-  <th><%= candidate.name %></th>
+  <th><%=h candidate.name %></th>
  <% end %>
  </tr>
  <% for cand1 in @election.candidates.sort %>
    <tr>
-  <th><%= cand1.name %></th>
+  <th><%=h cand1.name %></th>
    <% for cand2 in @election.candidates.sort %>
      <td>
      <% if cand1 == cand2 %>
diff --git a/app/views/election/edit.rhtml b/app/views/election/edit.rhtml

index 968d1575124c730204089cc2a17e7b5ef094f280..40aaad28d51b510674231ae236a77959967600ed 100644 (file)
--- a/app/views/election/edit.rhtml
+++ b/app/views/election/edit.rhtml
@@ -1,4 +1,4 @@
-<h1><strong><%= @election.name %>:</strong> Edit Overview</h1>
+<h1><strong><%=h @election.name %>:</strong> Edit Overview</h1>
  
  <% form_tag(:action => 'update', :id => @election) do %>
    <%= render :partial => 'overview_form' %>
diff --git a/app/views/election/edit_candidate.rhtml b/app/views/election/edit_candidate.rhtml

index fe56aa08c37f3d20d8c33f03da7c2cef4442f181..7e1dd65704cd3ef9b33d7d59dd6be8ae36419587 100644 (file)
--- a/app/views/election/edit_candidate.rhtml
+++ b/app/views/election/edit_candidate.rhtml
@@ -1,4 +1,4 @@
-<h1>Editing <%= @candidate.name %></h1>
+<h1>Editing <%=h @candidate.name %></h1>
  
  <%= error_messages_for :candidate %>
  <% form_tag( { :action => :update_candidate, :id => @candidate.id },
diff --git a/app/views/election/list.rhtml b/app/views/election/list.rhtml

index 83be6c6c28671bf728c27ce8e36b628cfa2a1734..321bf4630dad225b88b59ef3630b9b50fa6be5cb 100644 (file)
--- a/app/views/election/list.rhtml
+++ b/app/views/election/list.rhtml
@@ -5,9 +5,9 @@
  
  <% for election in @elections %>
    <tr>
-    <td valign="top"><h2><%= link_to election.name, :action => 'show', :id => election %></h2>
+    <td valign="top"><h2><%=h link_to election.name, :action => 'show', :id => election %></h2>
          <p><strong>Description:</strong></p>
-       <blockquote><%= election.description %></blockquote>
+       <blockquote><%=h election.description %></blockquote>
         
          <p><strong>Election Information:</strong></p>
         <ul>
diff --git a/app/views/election/new_voters.rhtml b/app/views/election/new_voters.rhtml

index d1f0fab8adafc5f59be7bb0b67c47fb046c943bc..5f064462f3c8ceed2e28b27bd7c8befd14ea7b1d 100644 (file)
--- a/app/views/election/new_voters.rhtml
+++ b/app/views/election/new_voters.rhtml
@@ -1,5 +1,5 @@
  <% @edit = true %>
-<h1><strong><%= @election.name %>:</strong> Enter List of Voter Email Addresses</h1>
+<h1><strong><%=h @election.name %>:</strong> Enter List of Voter Email Addresses</h1>
  
  <%= render :partial => 'voter_list' %>
author	John Dong <jdong@mit.edu>
	Wed, 29 Aug 2007 21:26:14 +0000 (17:26 -0400)
committer	John Dong <jdong@mit.edu>
	Wed, 29 Aug 2007 21:26:14 +0000 (17:26 -0400)
app/views/election/_candidate_line.rhtml		patch \| blob \| history
app/views/election/_candidate_line_edit.rhtml		patch \| blob \| history
app/views/election/_winner.rhtml		patch \| blob \| history
app/views/election/_winner_details.rhtml		patch \| blob \| history
app/views/election/edit.rhtml		patch \| blob \| history
app/views/election/edit_candidate.rhtml		patch \| blob \| history
app/views/election/list.rhtml		patch \| blob \| history
app/views/election/new_voters.rhtml		patch \| blob \| history