projects
/
selectricity-live
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
91f41ab
)
HTML escape description to prevent code injection onto page
author
John Dong
<jdong@mit.edu>
Thu, 16 Aug 2007 19:47:21 +0000
(15:47 -0400)
committer
John Dong
<jdong@mit.edu>
Thu, 16 Aug 2007 19:47:21 +0000
(15:47 -0400)
app/controllers/quickvote_controller.rb
patch
|
blob
|
history
diff --git
a/app/controllers/quickvote_controller.rb
b/app/controllers/quickvote_controller.rb
index a365171e0a57bcd6abaaf746749ea404bd00b43f..4783eb2d72ee79af31bd74f1e3de9112b02b7114 100644
(file)
--- a/
app/controllers/quickvote_controller.rb
+++ b/
app/controllers/quickvote_controller.rb
@@
-15,7
+15,7
@@
class QuickvoteController < ApplicationController
# store the candidate grabbed through ajax and stored in flash
@quickvote.candidatelist = flash[:candlist]
-
+ @quickvote.description=CGI.escapeHTML(@quickvote.description)
# try to save, if it fails, show the page again (the flash should
# still be intact
if @quickvote.save
Benjamin Mako Hill
||
Want to submit a patch?