projects / selectricity / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add a bunch of fixes to HTML escaping, and a test case for it
[selectricity] / app / views / quickvote / index.rhtml
diff --git a/app/views/quickvote/index.rhtml b/app/views/quickvote/index.rhtml
index e7cac3d88f13de8d89892e233a4de5e192f7522e..1179b7cb894833f9f98d9f93da46958169d32428 100644 (file)
--- a/app/views/quickvote/index.rhtml
+++ b/app/views/quickvote/index.rhtml
@@ -1,14 +1,14 @@
 <% %>
 
 <% if @voter.election.shortdesc %>
-  <h1><%= @voter.election.shortdesc %></h1>
+  <h1><%=h @voter.election.shortdesc %></h1>
 <% else %>
   <h1>QuickVote</h1>
 <% end %>
 
 <% if @voter.election.longdesc %>
   <p><strong>Description:</strong></p>
-  <blockquote><%= @voter.election.longdesc %></blockquote>
+  <blockquote><%=h @voter.election.longdesc %></blockquote>
 
 <h2>Vote</h2>
 <% end %>
@@ -31,7 +31,7 @@ bottom</em>. When you are done, press confirm to record your vote.</p>
 <ol id="rankings-list">
   <% for ranking in @voter.vote.rankings %>
     <li class="moveable" id="ranking_<%= ranking.candidate.id %>">
-      <%= ranking.candidate.name.capitalize %></li>
+      <%=h ranking.candidate.name.capitalize %></li>
   <% end %>
 </ol>
 </div>
Voting machinery for the masses!

Benjamin Mako Hill || Want to submit a patch?