HTML escape description to prevent code injection onto page

author John Dong <jdong@mit.edu>

Thu, 16 Aug 2007 19:47:21 +0000 (15:47 -0400)

committer John Dong <jdong@mit.edu>

Thu, 16 Aug 2007 19:47:21 +0000 (15:47 -0400)
author John Dong <jdong@mit.edu>
Thu, 16 Aug 2007 19:47:21 +0000 (15:47 -0400)
committer John Dong <jdong@mit.edu>
Thu, 16 Aug 2007 19:47:21 +0000 (15:47 -0400)
diff --git a/app/controllers/quickvote_controller.rb b/app/controllers/quickvote_controller.rb

index a365171e0a57bcd6abaaf746749ea404bd00b43f..4783eb2d72ee79af31bd74f1e3de9112b02b7114 100644 (file)
--- a/app/controllers/quickvote_controller.rb
+++ b/app/controllers/quickvote_controller.rb
@@ -15,7 +15,7 @@ class QuickvoteController < ApplicationController
       
        # store the candidate grabbed through ajax and stored in flash
        @quickvote.candidatelist = flash[:candlist]
-
+      @quickvote.description=CGI.escapeHTML(@quickvote.description)
        # try to save, if it fails, show the page again (the flash should
        # still be intact
        if @quickvote.save
author	John Dong <jdong@mit.edu>
	Thu, 16 Aug 2007 19:47:21 +0000 (15:47 -0400)
committer	John Dong <jdong@mit.edu>
	Thu, 16 Aug 2007 19:47:21 +0000 (15:47 -0400)