Add a few more escape calls to prevent nasty HTML being rendered. Also

switch to using sanitize() instead of h() to escape message bodies. This
is not quite as safe as there is no guarantee that the HTML scanner it
uses will find everything, but is does allow benign HTML tags to be
displayed again.

diff --git a/app/views/diary_entry/_diary_entry.rhtml b/app/views/diary_entry/_diary_entry.rhtml
index 97b5330106dde3ffbbe7412d9ff4b0ae0bbedaf9..1574f6d5f49063e6392e830af2cf327128c3aa02 100644 (file)
--- a/app/views/diary_entry/_diary_entry.rhtml
+++ b/app/views/diary_entry/_diary_entry.rhtml
@@ -1,5 +1,5 @@
 <b><%= h(diary_entry.title) %></b><br />
-<%= simple_format(h(diary_entry.body)) %>
+<%= simple_format(sanitize(diary_entry.body)) %>
 <% if diary_entry.latitude and diary_entry.longitude %>
 Coordinates: <div class="geo" style="display: inline"><span class="latitude"><%= diary_entry.latitude %></span>; <span class="longitude"><%= diary_entry.longitude %></span></div> (<%=link_to 'map', :controller => 'site', :action => 'index', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %> / <%=link_to 'edit', :controller => 'site', :action => 'edit', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %>)<br/>
 <% end %>

diff --git a/app/views/message/_message_summary.rhtml b/app/views/message/_message_summary.rhtml
index 02972728efc6f172c33a5b62777c59fa1f83db87..d1604e9b5425193b4f8d62186128f2d794a4b9a5 100644 (file)
--- a/app/views/message/_message_summary.rhtml
+++ b/app/views/message/_message_summary.rhtml
@@ -2,7 +2,7 @@
 
 <tr class="inbox-row<%= "-unread" if not message_summary.message_read? %>">
   <td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to message_summary.sender.display_name , :controller => 'user', :action => message_summary.sender.display_name %></td>
-  <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to  message_summary.title , :controller => 'message', :action => 'read', :message_id => message_summary.id  %></td>
+  <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to  h(message_summary.title) , :controller => 'message', :action => 'read', :message_id => message_summary.id  %></td>
   <td class="inbox-sent" bgcolor='<%= this_colour %>'><%= message_summary.sent_on %></td>
   <% if message_summary.message_read? %>
     <td><%= button_to 'Mark as unread', :controller => 'message', :action => 'mark', :message_id => message_summary.id, :mark => 'unread' %></td>

diff --git a/app/views/message/_sent_message_summary.rhtml b/app/views/message/_sent_message_summary.rhtml
index 69b14609a7a678ac7a45b847958b2de9a6ce9ba8..9c117bdd62bbfa66370743d0b94824cd1d605aa1 100644 (file)
--- a/app/views/message/_sent_message_summary.rhtml
+++ b/app/views/message/_sent_message_summary.rhtml
@@ -2,6 +2,6 @@
 
 <tr class="inbox-row">
   <td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to sent_message_summary.recipient.display_name , :controller => 'user', :action => sent_message_summary.recipient.display_name %></td>
-  <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to  sent_message_summary.title , :controller => 'message', :action => 'read', :message_id => sent_message_summary.id  %></td>
+  <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to  h(sent_message_summary.title) , :controller => 'message', :action => 'read', :message_id => sent_message_summary.id  %></td>
  <td class="inbox-sent" bgcolor='<%= this_colour %>'><%= sent_message_summary.sent_on %></td>
 </tr>

diff --git a/app/views/message/read.rhtml b/app/views/message/read.rhtml
index 2e2694c072abbff7fecfd119f808ead812bb2c1d..b3dcd1f23a84d3fb562c7603bef3b444e73f22bf 100644 (file)
--- a/app/views/message/read.rhtml
+++ b/app/views/message/read.rhtml
@@ -17,7 +17,7 @@
   </tr>
   <tr>
     <th></th>
-    <td><%= h(@message.body) %></td>
+    <td><%= sanitize(@message.body) %></td>
   </tr>
 </table>
 
@@ -50,7 +50,7 @@
   </tr>
   <tr>
     <th></th>
-    <td><%= h(@message.body) %></td>
+    <td><%= sanitize(@message.body) %></td>
   </tr>
 </table>