Escape user-supplied JavaScript. Fixes http://lists.openstreetmap.org/pipermail/talk...

[rails.git] / app / views / site / edit.html.erb

diff --git a/app/views/site/edit.html.erb b/app/views/site/edit.html.erb
index 79b1f64af3d6da3dfb9418dae2931e06f0bea92d..d3258c9cfa902c61f3c853d4c864e2ddd35bb70e 100644 (file)
--- a/app/views/site/edit.html.erb
+++ b/app/views/site/edit.html.erb
@@ -65,7 +65,7 @@ zoom='14' if zoom.nil?
   
   window.onbeforeunload=function() {
     if (!changesaved) {
-      return "<%= t 'site.edit.potlatch_unsaved_changes' %>";
+      return '#{escape_javascript(t('site.edit.potlatch_unsaved_changes'))}';
     }
   }
 
@@ -78,9 +78,10 @@ zoom='14' if zoom.nil?
     fo.addVariable('token','<%= session[:token] %>');
     if (lat) { fo.addVariable('lat',lat); }
     if (lon) { fo.addVariable('long',lon); }
-    <% if params['gpx']  %>fo.addVariable('gpx' ,'<%= h(params['gpx'] ) %>');<% end %>
-    <% if params['way']  %>fo.addVariable('way' ,'<%= h(params['way'] ) %>');<% end %>
-    <% if params['node'] %>fo.addVariable('node','<%= h(params['node']) %>');<% end %>
+    <% if params['gpx']     %>fo.addVariable('gpx'     ,'<%= h(params['gpx']    ) %>');<% end %>
+    <% if params['way']     %>fo.addVariable('way'     ,'<%= h(params['way']    ) %>');<% end %>
+    <% if params['node']    %>fo.addVariable('node'    ,'<%= h(params['node']   ) %>');<% end %>
+    <% if params['tileurl'] %>fo.addVariable('custombg','<%= h(params['tileurl']) %>');<% end %>
     fo.write("map");
   }