X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/d736a158bee0ff17bdba30496b87e1bfe20e2910..b4165975078d6a520f80296fafea19b4c6b83bf5:/app/views/message/read.rhtml

diff --git a/app/views/message/read.rhtml b/app/views/message/read.rhtml
index 4117057d0..d0517d0bf 100644
--- a/app/views/message/read.rhtml
+++ b/app/views/message/read.rhtml
@@ -9,7 +9,7 @@
   </tr>
   <tr>
     <th align="right">Subject</th>
-    <td><%= @message.title %></td>
+    <td><%= h(@message.title) %></td>
   </tr>
   <tr>
     <th align="right">Date</th>
@@ -17,7 +17,7 @@
   </tr>
   <tr>
     <th></th>
-    <td><%= @message.body %></td>
+    <td><%= sanitize(@message.body) %></td>
   </tr>
 </table>
 
@@ -25,7 +25,7 @@
 
 <table>
   <tr>
-    <td><%= button_to 'Reply', :controller => 'message', :action => 'new', :user_id => @message.from_user_id %></td>
+    <td><%= button_to 'Reply', :controller => 'message', :action => 'reply', :message_id => @message.id %></td>
     <td><%= button_to 'Mark as unread', :controller => 'message', :action => 'mark', :message_id => @message.id, :mark => 'unread' %></td>
     <td><%= link_to 'Back to inbox', :controller => 'message', :action => 'inbox', :display_name => @user.display_name %></td>
   </tr>
@@ -42,7 +42,7 @@
   </tr>
   <tr>
     <th align="right">Subject</th>
-    <td><%= @message.title %></td>
+    <td><%= h(@message.title) %></td>
   </tr>
   <tr>
     <th align="right">Date</th>
@@ -50,7 +50,7 @@
   </tr>
   <tr>
     <th></th>
-    <td><%= @message.body %></td>
+    <td><%= sanitize(@message.body) %></td>
   </tr>
 </table>
 

Date
<%= button_to 'Reply', :controller => 'message', :action => 'new', :user_id => @message.from_user_id %>	<%= button_to 'Reply', :controller => 'message', :action => 'reply', :message_id => @message.id %>	<%= button_to 'Mark as unread', :controller => 'message', :action => 'mark', :message_id => @message.id, :mark => 'unread' %>	<%= link_to 'Back to inbox', :controller => 'message', :action => 'inbox', :display_name => @user.display_name %>
Subject	<%= @message.title %>	<%= h(@message.title) %>
	<%= @message.body %>	<%= sanitize(@message.body) %>