More escaping.

[rails.git] / app / views / diary_entry / list.rhtml

diff --git a/app/views/diary_entry/list.rhtml b/app/views/diary_entry/list.rhtml
index 4fd5e7bc26f6dd4af4d057e70e0e3654ec49f386..dd90de1697f70bc723265ba4ee313af1785224a8 100644 (file)
--- a/app/views/diary_entry/list.rhtml
+++ b/app/views/diary_entry/list.rhtml
@@ -1,7 +1,7 @@
-<h2><%= @title %></h2>
+<h2><%= h(@title) %></h2>
 
-<% if @user.image %>
- <%= image_tag url_for_file_column(@user, "image") %>
+<% if @this_user && @this_user.image %>
+ <%= image_tag url_for_file_column(@this_user, "image") %>
 <% end %>
 
 <br />