From 212820ba71e7fce006507fe1ce233ff12875510b Mon Sep 17 00:00:00 2001 From: John Dong Date: Thu, 16 Aug 2007 15:47:21 -0400 Subject: [PATCH 1/1] HTML escape description to prevent code injection onto page --- app/controllers/quickvote_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/quickvote_controller.rb b/app/controllers/quickvote_controller.rb index a365171..4783eb2 100644 --- a/app/controllers/quickvote_controller.rb +++ b/app/controllers/quickvote_controller.rb @@ -15,7 +15,7 @@ class QuickvoteController < ApplicationController # store the candidate grabbed through ajax and stored in flash @quickvote.candidatelist = flash[:candlist] - + @quickvote.description=CGI.escapeHTML(@quickvote.description) # try to save, if it fails, show the page again (the flash should # still be intact if @quickvote.save -- 2.39.5