From cf4234876994cb4b7e09cdd116e092424d9f4951 Mon Sep 17 00:00:00 2001 From: John Dong Date: Thu, 16 Aug 2007 13:54:37 -0400 Subject: [PATCH] * Tighter validation, closed a number of crashes due to invalid data * Security: Escape HTML to prevent injection of code onto the form * Prevent empty candidates from passing validation * Clearer, non Engrishy error messages on quickvote/create * Prevent quickvote ident names from clashing with reserved controller actions --- app/models/quick_vote.rb | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/app/models/quick_vote.rb b/app/models/quick_vote.rb index ce4a4fb..0efb574 100644 --- a/app/models/quick_vote.rb +++ b/app/models/quick_vote.rb @@ -10,12 +10,16 @@ class QuickVote < Election attr_accessor :borda_result def validate - if @raw_candidates.length < 2 - errors.add("You must list at least two candidates.") + if not @raw_candidates or @raw_candidates.length < 2 + errors.add(nil, "You must list at least two candidates.") end - + if name =~ /[^A-Za-z0-9]/ - errors.add("The name must only include numbers and letters.") + errors.add(:name, "must only include numbers and letters.") + end + + if name =~ /^(create|index|confirm|change|results)$/ + errors.add(:name, " is a reserved word.") end end @@ -40,6 +44,7 @@ class QuickVote < Election end def create_candidates + return unless errors.empty? @raw_candidates.each do |name| candidate = Candidate.new({:name => name}) self.candidates << candidate -- 2.39.5