* Tighter validation, closed a number of crashes due to invalid data

* Security: Escape HTML to prevent injection of code onto the form
* Prevent empty candidates from passing validation
* Clearer, non Engrishy error messages on quickvote/create
* Prevent quickvote ident names from clashing with reserved controller actions

diff --git a/app/models/quick_vote.rb b/app/models/quick_vote.rb
index ce4a4fb5d3fe1dd142e4db139262c68c5bc6a069..0efb5744e62397bd0a1c56a4f59b363d42f2e585 100644 (file)
--- a/app/models/quick_vote.rb
+++ b/app/models/quick_vote.rb
@@ -10,12 +10,16 @@ class QuickVote < Election
   attr_accessor :borda_result
 
   def validate
-    if @raw_candidates.length < 2
-      errors.add("You must list at least two candidates.")
+    if not @raw_candidates or @raw_candidates.length < 2
+        errors.add(nil, "You must list at least two candidates.")
     end
-
+    
     if name =~ /[^A-Za-z0-9]/
-      errors.add("The name must only include numbers and letters.")
+      errors.add(:name, "must only include numbers and letters.")
+    end
+    
+    if name =~ /^(create|index|confirm|change|results)$/
+      errors.add(:name, " is a reserved word.")
     end
   end
   
@@ -40,6 +44,7 @@ class QuickVote < Election
   end
 
   def create_candidates
+    return unless errors.empty?
     @raw_candidates.each do |name|
       candidate = Candidate.new({:name => name})
       self.candidates << candidate