use h() to avoid XSS in usernames

[rails.git] / app / views / user_blocks / edit.html.erb

diff --git a/app/views/user_blocks/edit.html.erb b/app/views/user_blocks/edit.html.erb
index 66123e717959d2f64434e295c042f69b5ea78d0a..c52c94818e2f33fc44fbffe4b335f3636bcd2477 100644 (file)
--- a/app/views/user_blocks/edit.html.erb
+++ b/app/views/user_blocks/edit.html.erb
@@ -8,7 +8,7 @@
   <%= f.error_messages %>
 
   <p>
-    <%= f.label :reason, t('user_block.edit.reason', :name => @user_block.user.display_name) %><br />
+    <%= f.label :reason, t('user_block.edit.reason', :name => h(@user_block.user.display_name)) %><br />
     <%= f.text_area :reason %>
   </p>
   <p>