switch to using sanitize() instead of h() to escape message bodies. This
is not quite as safe as there is no guarantee that the HTML scanner it
uses will find everything, but is does allow benign HTML tags to be
displayed again.
<b><%= h(diary_entry.title) %></b><br />
<b><%= h(diary_entry.title) %></b><br />
-<%= simple_format(h(diary_entry.body)) %>
+<%= simple_format(sanitize(diary_entry.body)) %>
<% if diary_entry.latitude and diary_entry.longitude %>
Coordinates: <div class="geo" style="display: inline"><span class="latitude"><%= diary_entry.latitude %></span>; <span class="longitude"><%= diary_entry.longitude %></span></div> (<%=link_to 'map', :controller => 'site', :action => 'index', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %> / <%=link_to 'edit', :controller => 'site', :action => 'edit', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %>)<br/>
<% end %>
<% if diary_entry.latitude and diary_entry.longitude %>
Coordinates: <div class="geo" style="display: inline"><span class="latitude"><%= diary_entry.latitude %></span>; <span class="longitude"><%= diary_entry.longitude %></span></div> (<%=link_to 'map', :controller => 'site', :action => 'index', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %> / <%=link_to 'edit', :controller => 'site', :action => 'edit', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %>)<br/>
<% end %>
<tr class="inbox-row<%= "-unread" if not message_summary.message_read? %>">
<td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to message_summary.sender.display_name , :controller => 'user', :action => message_summary.sender.display_name %></td>
<tr class="inbox-row<%= "-unread" if not message_summary.message_read? %>">
<td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to message_summary.sender.display_name , :controller => 'user', :action => message_summary.sender.display_name %></td>
- <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to message_summary.title , :controller => 'message', :action => 'read', :message_id => message_summary.id %></td>
+ <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to h(message_summary.title) , :controller => 'message', :action => 'read', :message_id => message_summary.id %></td>
<td class="inbox-sent" bgcolor='<%= this_colour %>'><%= message_summary.sent_on %></td>
<% if message_summary.message_read? %>
<td><%= button_to 'Mark as unread', :controller => 'message', :action => 'mark', :message_id => message_summary.id, :mark => 'unread' %></td>
<td class="inbox-sent" bgcolor='<%= this_colour %>'><%= message_summary.sent_on %></td>
<% if message_summary.message_read? %>
<td><%= button_to 'Mark as unread', :controller => 'message', :action => 'mark', :message_id => message_summary.id, :mark => 'unread' %></td>
<tr class="inbox-row">
<td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to sent_message_summary.recipient.display_name , :controller => 'user', :action => sent_message_summary.recipient.display_name %></td>
<tr class="inbox-row">
<td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to sent_message_summary.recipient.display_name , :controller => 'user', :action => sent_message_summary.recipient.display_name %></td>
- <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to sent_message_summary.title , :controller => 'message', :action => 'read', :message_id => sent_message_summary.id %></td>
+ <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to h(sent_message_summary.title) , :controller => 'message', :action => 'read', :message_id => sent_message_summary.id %></td>
<td class="inbox-sent" bgcolor='<%= this_colour %>'><%= sent_message_summary.sent_on %></td>
</tr>
<td class="inbox-sent" bgcolor='<%= this_colour %>'><%= sent_message_summary.sent_on %></td>
</tr>
- <td><%= h(@message.body) %></td>
+ <td><%= sanitize(@message.body) %></td>
- <td><%= h(@message.body) %></td>
+ <td><%= sanitize(@message.body) %></td>