HTML escape substituted parameter values to avoid injection attacks.

[rails.git] / app / views / user / account.rhtml

diff --git a/app/views/user/account.rhtml b/app/views/user/account.rhtml
index 53c3553165b015d4c707c18fd8fc8987e5e599e9..1a18c90b21575eb46d54c56dee5a978a338fef9d 100644 (file)
--- a/app/views/user/account.rhtml
+++ b/app/views/user/account.rhtml
@@ -34,9 +34,9 @@
 </script>
 
 <% if @user.home_lat.nil? or @user.home_lon.nil? %>
-  <% lon =  params['lon'] || '-0.1' %>
-  <% lat =  params['lat'] || '51.5' %>
-  <% zoom =  params['zoom'] || '4' %> 
+  <% lon = h(params['lon']) || '-0.1' %>
+  <% lat = h(params['lat']) || '51.5' %>
+  <% zoom = h(params['zoom']) || '4' %> 
 <% else %>
   <% marker = true %>
   <% mlon = @user.home_lon %> 
@@ -107,7 +107,7 @@
 <% if @user.data_public? %>
   All your edits are public.
 <% else %>
-  Currently your edits are anonymous and people can't send you messages or see your location. To show what you edited and allow people to contact you through the website, click the button below. <b>You will need to do this if you want to use the online editor after mid-November</b> (<a href="http://wiki.openstreetmap.org/index.php/Disabling_anonymous_edits">find out why</a>). This action cannot be reversed.
+  Currently your edits are anonymous and people can't send you messages or see your location. To show what you edited and allow people to contact you through the website, click the button below. <b>You will need to do this if you want to use the online editor</b> (<a href="http://wiki.openstreetmap.org/index.php/Disabling_anonymous_edits">find out why</a>). This action cannot be reversed.
   <br /><br />
   <%= button_to "Make all my edits public, forever", :action => :go_public %>
 <% end %>