X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/a8333a38a2c9abf3304d61b20c5215d75fdd5795..2cbcabb3f6992904903a72dfbcef624bd391a314:/app/views/site/edit.rhtml

diff --git a/app/views/site/edit.rhtml b/app/views/site/edit.rhtml
index de2764115..16c2ef3f2 100644
--- a/app/views/site/edit.rhtml
+++ b/app/views/site/edit.rhtml
@@ -24,17 +24,17 @@
 <% session[:token] = @user.tokens.create.token unless session[:token] %>
 
 <% if params['mlon'] and params['mlat'] %>
-<% lon =  params['mlon'] %>
-<% lat =  params['mlat']  %>
-<% zoom =  params['zoom'] || '12' %>
+<% lon =  h(params['mlon']) %>
+<% lat =  h(params['mlat'])  %>
+<% zoom =  h(params['zoom']) || '12' %>
 <% elsif @user and params['lon'].nil? and params['lat'].nil? %> 
 <% lon =  @user.home_lon %>
 <% lat =  @user.home_lat %>
 <% zoom = '12' %>
 <%else%>
-<% lon =  params['lon'] || '-0.1' %>
-<% lat =  params['lat'] || '51.5' %>
-<% zoom =  params['zoom'] || '12' %>
+<% lon =  h(params['lon']) || '-0.1' %>
+<% lat =  h(params['lat']) || '51.5' %>
+<% zoom =  h(params['zoom']) || '12' %>
 <% end %>
 
 <div id="map">You need a Flash player to use Potlatch, the
@@ -54,7 +54,9 @@
     fo.addVariable('long',lon);
     fo.addVariable('scale',sc);
     fo.addVariable('token','<%= session[:token] %>');
-<% if params['gpx'] %>    fo.addVariable('gpx','<%= params['gpx']+"/data" %>'); <% end %>
+    <% if params['gpx'] %>
+    fo.addVariable('gpx','<%= h(params['gpx']) + "/data" %>');
+    <% end %>
     fo.write("map");
   }