Yet more escaping.

diff --git a/app/views/trace/_trace.rhtml b/app/views/trace/_trace.rhtml
index 91862444ab34c72825f15822abd0ff64e576db58..095d662398eb2285900998e1f6a36050479aa52b 100644 (file)
--- a/app/views/trace/_trace.rhtml
+++ b/app/views/trace/_trace.rhtml
@@ -17,9 +17,9 @@
       <%= link_to_if trace.inserted?, 'map', {:controller => 'site', :action => 'index', :lat => trace.latitude, :lon => trace.longitude, :zoom => 14}, {:title => 'View Map'} %> /
       <%= link_to_if trace.inserted?, 'edit', {:controller => 'site', :action => 'edit', :lat => trace.latitude, :lon => trace.longitude, :zoom => 14, :gpx => trace.id }, {:title => 'Edit Map'} %>
       <br />
-      <%= escape_once(trace.description) %>
+      <%= h(trace.description) %>
     <br />
-    by <%= link_to trace.user.display_name, {:controller => 'user', :action => 'view', :display_name => trace.user.display_name} %>
+    by <%= link_to h(trace.user.display_name), {:controller => 'user', :action => 'view', :display_name => trace.user.display_name} %>
     in 
     <% if trace.tags %>
       <% trace.tags.each do |tag| %>

diff --git a/app/views/trace/_trace_header.rhtml b/app/views/trace/_trace_header.rhtml
index a9d8ca259255fddab0b1a3e2b5b18398037e6b65..179b79c32fccbe8541c345f93d470d93b31ad3ff 100644 (file)
--- a/app/views/trace/_trace_header.rhtml
+++ b/app/views/trace/_trace_header.rhtml
@@ -1,4 +1,4 @@
-<h1><%= @title %></h1>
+<h1><%= h(@title) %></h1>
 
 <span class="rsssmall"><a href="<%= url_for :action => 'georss', :display_name => @display_name, :tag => @tag %>"><img src="/images/RSS.gif" border="0" alt="RSS" /></a></span>
 <% if @user.nil? or @display_name.nil? or @user.display_name != @display_name %>

diff --git a/app/views/trace/edit.rhtml b/app/views/trace/edit.rhtml
index 22405c1fc1c12230f52320a5c79d882d36a5ecfe..d7c04182dbcebc636798eaaff4b8abd72b20cbff 100644 (file)
--- a/app/views/trace/edit.rhtml
+++ b/app/views/trace/edit.rhtml
@@ -1,4 +1,4 @@
-<h2><%= @title %></h2>
+<h2><%= h(@title) %></h2>
 
 <img src="<%= url_for :controller => 'trace', :action => 'picture', :id => @trace.id, :display_name => @trace.user.display_name %>">
 
@@ -24,7 +24,7 @@
   <% end %>
   <tr>
     <td>Owner:</td>
-    <td><%= link_to @trace.user.display_name, {:controller => 'user', :action => 'view', :display_name => @trace.user.display_name} %></td>
+    <td><%= link_to h(@trace.user.display_name), {:controller => 'user', :action => 'view', :display_name => @trace.user.display_name} %></td>
   </tr>
   <tr>
     <td>Description:</td>

diff --git a/app/views/trace/view.rhtml b/app/views/trace/view.rhtml
index a5b0cef099b3636614b7b6c01f52c7d71d9d47c8..021b536e8ef3b25ec868f714b9e9e6650dbf7ed5 100644 (file)
--- a/app/views/trace/view.rhtml
+++ b/app/views/trace/view.rhtml
@@ -1,4 +1,4 @@
-<h2><%= @title %></h2>
+<h2><%= h(@title) %></h2>
 
 <img src="<%= url_for :controller => 'trace', :action => 'picture', :id => @trace.id, :display_name => @trace.user.display_name %>">
 
@@ -22,11 +22,11 @@
   <% end %>
   <tr>
     <td>Owner:</td>
-    <td><%= link_to @trace.user.display_name, {:controller => 'user', :action => 'view', :display_name => @trace.user.display_name} %></td>
+    <td><%= link_to g(@trace.user.display_name), {:controller => 'user', :action => 'view', :display_name => @trace.user.display_name} %></td>
   </tr>
   <tr>
     <td>Description:</td>
-    <td><%= @trace.description %></td>
+    <td><%= h(@trace.description) %></td>
   </tr>
   <tr>
     <td>Tags:</td>