Escape message titles and bodies. This is an emergency fix as some genius

[rails.git] / app / views / message / read.rhtml

diff --git a/app/views/message/read.rhtml b/app/views/message/read.rhtml
index 4117057d006388f48ec7a7e94de19007df541216..2e2694c072abbff7fecfd119f808ead812bb2c1d 100644 (file)
--- a/app/views/message/read.rhtml
+++ b/app/views/message/read.rhtml
@@ -9,7 +9,7 @@
   </tr>
   <tr>
     <th align="right">Subject</th>
   </tr>
   <tr>
     <th align="right">Subject</th>

-    <td><%= @message.title %></td>
+    <td><%= h(@message.title) %></td>

   </tr>
   <tr>
     <th align="right">Date</th>
   </tr>
   <tr>
     <th align="right">Date</th>


@@ -17,7 +17,7 @@
   </tr>
   <tr>
     <th></th>
   </tr>
   <tr>
     <th></th>

-    <td><%= @message.body %></td>
+    <td><%= h(@message.body) %></td>

   </tr>
 </table>
 
   </tr>
 </table>
 


@@ -42,7 +42,7 @@
   </tr>
   <tr>
     <th align="right">Subject</th>
   </tr>
   <tr>
     <th align="right">Subject</th>

-    <td><%= @message.title %></td>
+    <td><%= h(@message.title) %></td>

   </tr>
   <tr>
     <th align="right">Date</th>
   </tr>
   <tr>
     <th align="right">Date</th>


@@ -50,7 +50,7 @@
   </tr>
   <tr>
     <th></th>
   </tr>
   <tr>
     <th></th>

-    <td><%= @message.body %></td>
+    <td><%= h(@message.body) %></td>

   </tr>
 </table>
 
   </tr>
 </table>