Escape user-supplied JavaScript. Fixes http://lists.openstreetmap.org/pipermail/talk...
[rails.git] / app / views / user / _friend_map.html.erb
index 72f02bd61163b6281de5012c0af6fe4de1cda7e1..a73bb53b8250a5bad816f6e624d52b8bea8e3520 100644 (file)
@@ -2,7 +2,7 @@
 <% if !@user.home_lat.nil? and !@user.home_lon.nil? %>
   <% if !@user.nearby.empty? %>
     <% @user.nearby.each do |nearby| %>
-    <% nearest_str += "nearest.push( { 'display_name' : '#{nearby.display_name}', 'home_lat' : #{nearby.home_lat}, 'home_lon' : #{nearby.home_lon} } );\n" %>
+    <% nearest_str += "nearest.push( { 'display_name' : '#{escape_javascript(nearby.display_name)}', 'home_lat' : #{nearby.home_lat}, 'home_lon' : #{nearby.home_lon} } );\n" %>
     <% end %>
   <% end %>
 <% end %>
@@ -54,7 +54,7 @@
     near_icon.url = OpenLayers.Util.getImagesLocation() + "marker-green.png";;
     var i = nearest.length;
     while( i-- ) {
-      var description = '<%= t 'user.friend_map.nearby mapper'%><a href="/user/'+nearest[i].display_name+'">'+nearest[i].display_name+'</a>'
+      var description = i18n('<%= t 'user.friend_map.nearby mapper'%>', { nearby_user: '<a href="/user/'+nearest[i].display_name+'">'+nearest[i].display_name+'</a>' });
       var nearmarker = addMarkerToMap(new OpenLayers.LonLat(nearest[i].home_lon, nearest[i].home_lat), near_icon.clone(), description);
     }