From 132c17fac0edd8b6eec263f494b95beef3b4e6ac Mon Sep 17 00:00:00 2001 From: John Dong Date: Wed, 29 Aug 2007 17:26:14 -0400 Subject: [PATCH 1/1] Do some HTML escaping on election and candidate names --- app/views/election/_candidate_line.rhtml | 2 +- app/views/election/_candidate_line_edit.rhtml | 2 +- app/views/election/_winner.rhtml | 4 ++-- app/views/election/_winner_details.rhtml | 4 ++-- app/views/election/edit.rhtml | 2 +- app/views/election/edit_candidate.rhtml | 2 +- app/views/election/list.rhtml | 4 ++-- app/views/election/new_voters.rhtml | 2 +- 8 files changed, 11 insertions(+), 11 deletions(-) diff --git a/app/views/election/_candidate_line.rhtml b/app/views/election/_candidate_line.rhtml index 5145b88..870a2de 100644 --- a/app/views/election/_candidate_line.rhtml +++ b/app/views/election/_candidate_line.rhtml @@ -1,6 +1,6 @@ <% -%>
-
  • <%= @current_candidate.name -%> +
  • <%=h @current_candidate.name -%> <% if @show_details %> (<%= link_to_remote "Hide Details", :update => "cand#{@current_candidate.id}", diff --git a/app/views/election/_candidate_line_edit.rhtml b/app/views/election/_candidate_line_edit.rhtml index 78f8580..61a9f63 100644 --- a/app/views/election/_candidate_line_edit.rhtml +++ b/app/views/election/_candidate_line_edit.rhtml @@ -1,6 +1,6 @@ <% -%>
    -

    <%= @current_candidate.name %> +

    <%=h @current_candidate.name %> (<%= link_to_remote "Delete", :complete => "Element.remove('cand#{@current_candidate.id}')", :url => { :action => :delete_candidate, diff --git a/app/views/election/_winner.rhtml b/app/views/election/_winner.rhtml index 531e0d2..0e55aa2 100644 --- a/app/views/election/_winner.rhtml +++ b/app/views/election/_winner.rhtml @@ -6,7 +6,7 @@

      <% for candidate in @winners %> -
    • <%= @candidates_by_id[candidate].name %>
    • +
    • <%=h @candidates_by_id[candidate].name %>
    • <% end %>
    @@ -14,7 +14,7 @@ <% winner = @winners[0] %>

    The winner of the election was: - <%= @candidates_by_id[winner].name %> + <%=h @candidates_by_id[winner].name %>

    <% end %> diff --git a/app/views/election/_winner_details.rhtml b/app/views/election/_winner_details.rhtml index 0903952..36877ae 100644 --- a/app/views/election/_winner_details.rhtml +++ b/app/views/election/_winner_details.rhtml @@ -6,12 +6,12 @@ preferred to any other candidates is listed here:

    <% for candidate in @election.candidates.sort %> - <%= candidate.name %> + <%=h candidate.name %> <% end %> <% for cand1 in @election.candidates.sort %> - <%= cand1.name %> + <%=h cand1.name %> <% for cand2 in @election.candidates.sort %> <% if cand1 == cand2 %> diff --git a/app/views/election/edit.rhtml b/app/views/election/edit.rhtml index 968d157..40aaad2 100644 --- a/app/views/election/edit.rhtml +++ b/app/views/election/edit.rhtml @@ -1,4 +1,4 @@ -

    <%= @election.name %>: Edit Overview

    +

    <%=h @election.name %>: Edit Overview

    <% form_tag(:action => 'update', :id => @election) do %> <%= render :partial => 'overview_form' %> diff --git a/app/views/election/edit_candidate.rhtml b/app/views/election/edit_candidate.rhtml index fe56aa0..7e1dd65 100644 --- a/app/views/election/edit_candidate.rhtml +++ b/app/views/election/edit_candidate.rhtml @@ -1,4 +1,4 @@ -

    Editing <%= @candidate.name %>

    +

    Editing <%=h @candidate.name %>

    <%= error_messages_for :candidate %> <% form_tag( { :action => :update_candidate, :id => @candidate.id }, diff --git a/app/views/election/list.rhtml b/app/views/election/list.rhtml index 83be6c6..321bf46 100644 --- a/app/views/election/list.rhtml +++ b/app/views/election/list.rhtml @@ -5,9 +5,9 @@ <% for election in @elections %> -

    <%= link_to election.name, :action => 'show', :id => election %>

    +

    <%=h link_to election.name, :action => 'show', :id => election %>

    Description:

    -
    <%= election.description %>
    +
    <%=h election.description %>

    Election Information:

      diff --git a/app/views/election/new_voters.rhtml b/app/views/election/new_voters.rhtml index d1f0fab..5f06446 100644 --- a/app/views/election/new_voters.rhtml +++ b/app/views/election/new_voters.rhtml @@ -1,5 +1,5 @@ <% @edit = true %> -

      <%= @election.name %>: Enter List of Voter Email Addresses

      +

      <%=h @election.name %>: Enter List of Voter Email Addresses

      <%= render :partial => 'voter_list' %> -- 2.39.5