Add a few more escape calls to prevent nasty HTML being rendered. Also
[rails.git] / app / views / message / read.rhtml
index 2e2694c072abbff7fecfd119f808ead812bb2c1d..b3dcd1f23a84d3fb562c7603bef3b444e73f22bf 100644 (file)
@@ -17,7 +17,7 @@
   </tr>
   <tr>
     <th></th>
-    <td><%= h(@message.body) %></td>
+    <td><%= sanitize(@message.body) %></td>
   </tr>
 </table>
 
@@ -50,7 +50,7 @@
   </tr>
   <tr>
     <th></th>
-    <td><%= h(@message.body) %></td>
+    <td><%= sanitize(@message.body) %></td>
   </tr>
 </table>