From cf4234876994cb4b7e09cdd116e092424d9f4951 Mon Sep 17 00:00:00 2001
From: John Dong <jdong@mit.edu>
Date: Thu, 16 Aug 2007 13:54:37 -0400
Subject: [PATCH] * Tighter validation, closed a number of crashes due to
 invalid data * Security: Escape HTML to prevent injection of code onto the
 form * Prevent empty candidates from passing validation * Clearer, non
 Engrishy error messages on quickvote/create * Prevent quickvote ident names
 from clashing with reserved controller actions

---
 app/models/quick_vote.rb | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/app/models/quick_vote.rb b/app/models/quick_vote.rb
index ce4a4fb..0efb574 100644
--- a/app/models/quick_vote.rb
+++ b/app/models/quick_vote.rb
@@ -10,12 +10,16 @@ class QuickVote < Election
   attr_accessor :borda_result
 
   def validate
-    if @raw_candidates.length < 2
-      errors.add("You must list at least two candidates.")
+    if not @raw_candidates or @raw_candidates.length < 2
+        errors.add(nil, "You must list at least two candidates.")
     end
-
+    
     if name =~ /[^A-Za-z0-9]/
-      errors.add("The name must only include numbers and letters.")
+      errors.add(:name, "must only include numbers and letters.")
+    end
+    
+    if name =~ /^(create|index|confirm|change|results)$/
+      errors.add(:name, " is a reserved word.")
     end
   end
   
@@ -40,6 +44,7 @@ class QuickVote < Election
   end
 
   def create_candidates
+    return unless errors.empty?
     @raw_candidates.each do |name|
       candidate = Candidate.new({:name => name})
       self.candidates << candidate
-- 
2.30.2