HTML escape substituted parameter values to avoid injection attacks.

[rails.git] / app / views / user / login.rhtml

diff --git a/app/views/user/login.rhtml b/app/views/user/login.rhtml
index 31fe7e4159a39b674e5e36fffc86c9530989dd08..5c6ec3ec5db92a5f6c78073d0536832cebe50383 100644 (file)
--- a/app/views/user/login.rhtml
+++ b/app/views/user/login.rhtml
@@ -1,13 +1,13 @@
-<h1>Login:</h1><br>
-Please login or <%= link_to 'create an account', :controller => 'user', :action => 'new' %>.<br>
+<h1>Login:</h1><br />
+Please login or <%= link_to 'create an account', :controller => 'user', :action => 'new' %>.<br />
 
-<%= start_form_tag :action => 'login' %>
+<% form_tag :action => 'login' do %>
+<%= hidden_field_tag('referer', h(params[:referer])) %>
 <table>
-  <tr><td>email address:</td><td><%= text_field('user', 'email',{:size => 50, :maxlength => 255}) %></td></tr>
-  <tr><td>password:</td><td><%= password_field('user', 'password',{:size => 50, :maxlength => 255}) %></td></tr>
+  <tr><td>Email Address:</td><td><%= text_field('user', 'email',{:size => 50, :maxlength => 255}) %></td></tr>
+  <tr><td>Password:</td><td><%= password_field('user', 'password',{:size => 50, :maxlength => 255}) %></td></tr>
 </table>
 
-<br>
-<input type="submit" value="Login">
-
-<%= end_form_tag %> (<%= link_to 'Lost your password?', :controller => 'user', :action => 'lost_password' %>)
+<br />
+<%= submit_tag 'Login' %>
+<% end %> (<%= link_to 'Lost your password?', :controller => 'user', :action => 'lost_password' %>)