end
def add_candidate
- candidate_name = params[:ajax][:newcandidate]
- if flash.has_key?(:candlist) and flash[:candlist].instance_of?(Array)
- flash[:candlist] << candidate_name
- else
- flash[:candlist] = [ candidate_name ]
+ candidate_name = CGI.escapeHTML(params[:ajax][:newcandidate])
+ unless candidate_name.strip.empty?
+ if flash.has_key?(:candlist) and flash[:candlist].instance_of?(Array)
+ flash[:candlist] << candidate_name
+ else
+ flash[:candlist] = [ candidate_name ]
+ end
end
flash.keep(:candlist)
render_partial 'candidate_list'