From 212820ba71e7fce006507fe1ce233ff12875510b Mon Sep 17 00:00:00 2001
From: John Dong <jdong@mit.edu>
Date: Thu, 16 Aug 2007 15:47:21 -0400
Subject: [PATCH] HTML escape description to prevent code injection onto page

---
 app/controllers/quickvote_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/quickvote_controller.rb b/app/controllers/quickvote_controller.rb
index a365171..4783eb2 100644
--- a/app/controllers/quickvote_controller.rb
+++ b/app/controllers/quickvote_controller.rb
@@ -15,7 +15,7 @@ class QuickvoteController < ApplicationController
      
       # store the candidate grabbed through ajax and stored in flash
       @quickvote.candidatelist = flash[:candlist]
-
+      @quickvote.description=CGI.escapeHTML(@quickvote.description)
       # try to save, if it fails, show the page again (the flash should
       # still be intact
       if @quickvote.save
-- 
2.30.2