title/heading & XSS fix for /edit

diff --git a/app/views/user_blocks/edit.html.erb b/app/views/user_blocks/edit.html.erb
index c3111367dd4d7fe11a9b83f8768aba17aeb0d0f2..66123e717959d2f64434e295c042f69b5ea78d0a 100644 (file)
--- a/app/views/user_blocks/edit.html.erb
+++ b/app/views/user_blocks/edit.html.erb
@@ -1,4 +1,8 @@
-<h1><%= t('user_block.edit.title', :name => @user_block.user.display_name) %></h1>
+<% @title = t 'user_block.edit.title', :name => h(@user_block.user.display_name) %>
+<h1><%= t('user_block.edit.title',
+          :name => link_to(
+                           h(@user_block.user.display_name),
+                           {:controller => 'user', :action => 'view', :display_name => @user_block.user.display_name})) %></h1>
 
 <% form_for(@user_block) do |f| %>
   <%= f.error_messages %>

diff --git a/config/locales/en.yml b/config/locales/en.yml
index 6d038a252a005763a8b6296b88fabe4d7f7f3e68..10e372bf2ffa15fd9eaf01a0074106927706c104 100644 (file)
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1042,12 +1042,13 @@ en:
       title: "Creating block on {{name}}"
       needs_view: "Does the user need to log in before this block will be cleared?"
     edit:
+      title: "Editing block on {{name}}"
+      heading: "Editing block on {{name}}"
       reason: "The reason why {{name}} is being blocked. Please be as calm and as reasonable as possible, giving as much detail as you can about the situation. Bear in mind that not all users understand the community jargon, so please try to use laymans terms."
       period: "How long, starting now, the user will be blocked from the API for."
       submit: "Update block"
       show: "Show"
       back: "Back"
-      title: "Editing block on {{name}}"
       needs_view: "Does the user need to log in before this block will be cleared?"
     filter:
       not_a_moderator: "You need to be a moderator to perform that action."