HTML escape description to prevent code injection onto page

[selectricity] / app / controllers / quickvote_controller.rb

diff --git a/app/controllers/quickvote_controller.rb b/app/controllers/quickvote_controller.rb
index 83a6cc5fc659e5bcfabcc75a1d6e31baa7af5474..4783eb2d72ee79af31bd74f1e3de9112b02b7114 100644 (file)
--- a/app/controllers/quickvote_controller.rb
+++ b/app/controllers/quickvote_controller.rb
@@ -15,7 +15,7 @@ class QuickvoteController < ApplicationController
      
       # store the candidate grabbed through ajax and stored in flash
       @quickvote.candidatelist = flash[:candlist]
-
+      @quickvote.description=CGI.escapeHTML(@quickvote.description)
       # try to save, if it fails, show the page again (the flash should
       # still be intact
       if @quickvote.save
@@ -34,11 +34,13 @@ class QuickvoteController < ApplicationController
   end
 
   def add_candidate
-    candidate_name = params[:ajax][:newcandidate]
-    if flash.has_key?(:candlist) and flash[:candlist].instance_of?(Array) 
-      flash[:candlist] << candidate_name
-    else
-      flash[:candlist] = [ candidate_name ]
+    candidate_name = CGI.escapeHTML(params[:ajax][:newcandidate])
+    unless candidate_name.strip.empty?
+      if flash.has_key?(:candlist) and flash[:candlist].instance_of?(Array) 
+        flash[:candlist] << candidate_name unless flash[:candlist].index(candidate_name)
+     else
+       flash[:candlist] = [ candidate_name ]
+      end
     end
     flash.keep(:candlist)
     render_partial 'candidate_list'