@quickvote = QuickVote.new(params[:quickvote])
# store the candidate grabbed through ajax and stored in flash
@quickvote.candidatelist = flash[:candlist]
- @quickvote.description=CGI.escapeHTML(@quickvote.description)
+ @quickvote.description=@quickvote.description
# try to save, if it fails, show the page again (the flash should
# still be intact
if @quickvote.save
end
def add_candidate
- candidate_name = CGI.escapeHTML(params[:ajax][:newcandidate])
+ candidate_name = params[:ajax][:newcandidate]
unless candidate_name.strip.empty?
if flash.has_key?(:candlist) and flash[:candlist].instance_of?(Array)
flash[:candlist] << candidate_name unless flash[:candlist].index(candidate_name)
<% if flash[:candlist] %>
<ul>
<% for cand in flash[:candlist] %>
- <li><%= cand.capitalize %></li>
+ <li><%=h cand.capitalize %></li>
<% end %>
</ul>
<% end %>
<tr>
<td> </td>
<% candidates.each do |candidate| -%>
- <th><%= names[candidate] -%></th>
+ <th><%=h names[candidate] -%></th>
<% end -%>
<% candidates.each do |winner| -%>
<tr>
- <th><%= names[winner] %></th>
+ <th><%=h names[winner] %></th>
<% candidates.each do |loser| -%>
<% if winner == loser -%>
<td> -- </td>
<% else %>
<td><% wins = @election.condorcet_result.matrix[winner][loser]%>
- <%= wins %>
+ <%=h wins %>
<%= sparkline_tag [(wins.to_f/voters.to_f)*100.0], :type => 'pie',
:diameter => 25, :share_color => '#74ce00' %>
</td>
<% %>
<% if result.winner? and result.winners.length == 1%>
<p><em>The winner is:
- <strong><%= @candidates[result.winner].name.capitalize %></strong></em></p>
+ <strong><%=h @candidates[result.winner].name.capitalize %></strong></em></p>
<% elsif result.winner? and result.winners.length > 1 %>
- <p><em>There was a tie. The winners are: <strong><%=
- result.winners.collect {|w| @candidates[w].to_s.capitalize}.join(", ") %></strong></em></p>
+ <p><em>There was a tie. The winners are: <strong><%=h( result.winners.collect {|w| @candidates[w].to_s.capitalize}.join(", ") )%></strong></em></p>
<% else %>
<p><em>There is no winner using this method. </em></strong></p>
<% end %>
<table class="voterbox">
<% victories.keys.each do |victor| %>
<tr>
- <th><%= names[victor] %></th>
+ <th><%=h names[victor] %></th>
<% victories[victor].keys.each do |loser| %>
- <td><%= names[loser] %> (<%= victories[victor][loser] %>)</td>
+ <td><%=h names[loser] %> (<%= victories[victor][loser] %>)</td>
<% end -%>
</tr>
<% end -%>
<% %>
<% if @voter.election.shortdesc %>
- <h1><%= @voter.election.shortdesc %></h1>
+ <h1><%=h @voter.election.shortdesc %></h1>
<% else %>
<h1>QuickVote</h1>
<% end %>
<% if @voter.election.longdesc %>
<p><strong>Description:</strong></p>
- <blockquote><%= @voter.election.longdesc %></blockquote>
+ <blockquote><%=h @voter.election.longdesc %></blockquote>
<h2>Vote</h2>
<% end %>
<ol id="rankings-list">
<% for ranking in @voter.vote.rankings %>
<li class="moveable" id="ranking_<%= ranking.candidate.id %>">
- <%= ranking.candidate.name.capitalize %></li>
+ <%=h ranking.candidate.name.capitalize %></li>
<% end %>
</ol>
</div>
<% if @election.shortdesc %>
<p><strong>Description:</strong></p>
- <blockquote><em><%= @election.shortdesc %></em>
+ <blockquote><em><%=h @election.shortdesc %></em>
<% if @election.longdesc -%>
<br />
<%= h(@election.longdesc) -%>
<ol>
<% for candidate in @election.candidates.sort %>
- <li><%= candidate.name.capitalize %></li>
+ <li><%=h candidate.name.capitalize %></li>
<% end %>
</ol>
<h3>Schulze Method Results</h3>
<%= render :partial => 'result', :object => @election.ssd_result %>
-<div class="rbmoreinfo"
+<div class="rbmoreinfo">
<h4>About the Schulze Method</h4>
<p>The <%= link_to "Schulze method",
<h3>Plurality Results</h3>
<%= render :partial => 'result', :object => @election.plurality_result %>
-<div class="rbmoreinfo"
+<div class="rbmoreinfo">
<h4>About Plurality Voting</h4>
<p><%= link_to "Plurality voting",
<p><font size="-1">(This algorithm assumes that top two choices are "approved.")</font></p>
<%= render :partial => 'result', :object => @election.approval_result %>
-<div class="rbmoreinfo"
+<div class="rbmoreinfo">
<h4>About Approval Voting</h4>
<p><%= link_to "Approval voting",
<h3>Simple Condorcet Results</h3>
<%= render :partial => 'result', :object => @election.condorcet_result %>
-<div class="rbmoreinfo"
+<div class="rbmoreinfo">
<h4>About Simple Cordorcet Voting</h4>
<p><%= link_to "Condorcet",
<h3>Borda Count Results</h3>
<%= render :partial => 'result', :object => @election.borda_result %>
-<div class="rbmoreinfo"
+<div class="rbmoreinfo">
<h4>About Borda Count</h4>
<p><%= link_to "Borda count",
<div class="resultbox">
<h3>Instant Runoff (IRV) Results</h3>
-<div class="rbmoreinfo"
+<div class="rbmoreinfo">
<h4>About Instant Runoff Voting</h4>
<p><%= link_to "Instant runoff voting",
<% raise ArgumentError.new, "Local Server" if voter.ipaddress == "127.0.0.1" %>
<% raise ArgumentError.new, "XML-RPC Voter" if voter.ipaddress == "XMLRPC Request" %>
<% w= Whois::Whois.new(IPAddr.new(voter.ipaddress).to_s,true)%>
- <%=(w.host == nil or w.host.empty?) ? voter.ipaddress : w.host%>
+ <%=h((w.host == nil or w.host.empty?) ? voter.ipaddress : w.host)%>
</td>
<td>
<%w.search_whois%>
- <%= (w.all.grep(/^(OrgName|org-name)/)[0] or "").sub(/^(OrgName|org-name)\:/,'').strip -%> - <%= (w.all.grep(/^(NetName|netname)/)[0] or "").sub(/^(NetName|netname)\:/,'').strip %>
+ <%=h (w.all.grep(/^(OrgName|org-name)/)[0] or "").sub(/^(OrgName|org-name)\:/,'').strip -%> - <%= (w.all.grep(/^(NetName|netname)/)[0] or "").sub(/^(NetName|netname)\:/,'').strip %>
<% rescue ArgumentError => err %>
- <%= err %>
+ <%=h err %>
</td>
- <td><%= err%>
+ <td><%=h err%>
<% end %>
</td>
<td><%= voter.vote.votestring %></td>
<ol>
<% for rank in @voter.vote.rankings.sort %>
- <li><%= rank.candidate.name.capitalize %> </li>
+ <li><%=h rank.candidate.name.capitalize %> </li>
<% end %>
</ol>
<ul>
<% for quickvote in @quickvotes %>
-<li><%= link_to (quickvote.shortdesc || "Unnamed"), quickvote_url(:ident => quickvote.name) %></li>
+<li><%= link_to (h(quickvote.shortdesc) || "Unnamed"), quickvote_url(:ident => quickvote.name) %></li>
<% end %>
</ul>
post :confirm, { 'ident' => 'variable', 'rankings-list' => votes.sort_by {rand} }
assert_redirected_to :controller => 'quickvote', :ident => 'variable'
end
+ def test_display_tainted_quickvote
+ test_create_quickvote
+ qv=QuickVote.ident_to_quickvote('variable')
+ qv.description="<object>foo</object>"
+ qv.candidatelist = ["<object>foo", "bar<object>", "<foobar>"]
+ qv.save!
+ get :index, { 'ident' => 'variable' }
+ assert_response :success
+ assert_no_tag :tag => "object"
+ assert_no_tag :tag => "foobar"
+ votes = QuickVote.ident_to_quickvote('variable').candidates.collect { |c| c.id}
+ post :confirm, { 'ident' => 'variable', 'rankings-list' => votes.sort_by {rand} }
+ assert_template('quickvote/thanks')
+ assert_no_tag :tag => "object"
+ assert_no_tag :tag => "foobar"
+ get :results, { 'ident' => 'variable' }
+ assert_response :success
+ assert_no_tag :tag => "object"
+ assert_no_tag :tag => "foobar"
+ end
end
projects / selectricity / commitdiff