X-Git-Url: https://projects.mako.cc/source/selectricity/blobdiff_plain/7ee8e40628f6d7b775f48d859dd005de5a5e9afa..8ae0d71896fa022dd80e5a5de993e1382564fcb1:/app/controllers/quickvote_controller.rb

diff --git a/app/controllers/quickvote_controller.rb b/app/controllers/quickvote_controller.rb
index acbf012..4783eb2 100644
--- a/app/controllers/quickvote_controller.rb
+++ b/app/controllers/quickvote_controller.rb
@@ -15,7 +15,7 @@ class QuickvoteController < ApplicationController
      
       # store the candidate grabbed through ajax and stored in flash
       @quickvote.candidatelist = flash[:candlist]
-
+      @quickvote.description=CGI.escapeHTML(@quickvote.description)
       # try to save, if it fails, show the page again (the flash should
       # still be intact
       if @quickvote.save
@@ -34,11 +34,13 @@ class QuickvoteController < ApplicationController
   end
 
   def add_candidate
-    candidate_name = params[:ajax][:newcandidate]
-    if flash.has_key?(:candlist) and flash[:candlist].instance_of?(Array) 
-      flash[:candlist] << candidate_name
-    else
-      flash[:candlist] = [ candidate_name ]
+    candidate_name = CGI.escapeHTML(params[:ajax][:newcandidate])
+    unless candidate_name.strip.empty?
+      if flash.has_key?(:candlist) and flash[:candlist].instance_of?(Array) 
+        flash[:candlist] << candidate_name unless flash[:candlist].index(candidate_name)
+     else
+       flash[:candlist] = [ candidate_name ]
+      end
     end
     flash.keep(:candlist)
     render_partial 'candidate_list'
@@ -49,7 +51,7 @@ class QuickvoteController < ApplicationController
   #############################################################
 
   def index
-    @election = ident_to_quickvote(params[:ident])
+    @election = QuickVote.ident_to_quickvote(params[:ident])
     
     # if the person has specified an election, we show them the voting
     # page. otherwise, we redirect back to main the page
@@ -87,7 +89,7 @@ class QuickvoteController < ApplicationController
 
   def confirm
     # we need the election to verify that we have the right voter
-    election = ident_to_quickvote(params[:ident])
+    election = QuickVote.ident_to_quickvote(params[:ident])
 
     # find out who the voter is for this election
     @voter = QuickVoter.find_all(["session_id = ? and election_id = ?", 
@@ -142,21 +144,9 @@ class QuickvoteController < ApplicationController
   ###############################################################
 
   def results
-    @election = ident_to_quickvote(params[:ident])
+    @election = QuickVote.ident_to_quickvote(params[:ident])
     @election.results
     @candidates = {}
     @election.candidates.each {|c| @candidates[c.id] = c}
   end
-
-  private
-  def ident_to_quickvote(ident)
-    if ident.match(/^\d+$/)
-      quickvote = QuickVote.find(ident)
-    else
-      quickvote = QuickVote.find_all(["name = ?", ident])[0]
-    end
-
-    return quickvote
-  end
-
 end