<b><%= h(diary_entry.title) %></b><br />
-<%= simple_format(h(diary_entry.body)) %>
+<%= simple_format(sanitize(diary_entry.body)) %>
<% if diary_entry.latitude and diary_entry.longitude %>
Coordinates: <div class="geo" style="display: inline"><span class="latitude"><%= diary_entry.latitude %></span>; <span class="longitude"><%= diary_entry.longitude %></span></div> (<%=link_to 'map', :controller => 'site', :action => 'index', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %> / <%=link_to 'edit', :controller => 'site', :action => 'edit', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %>)<br/>
<% end %>
<tr class="inbox-row<%= "-unread" if not message_summary.message_read? %>">
<td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to message_summary.sender.display_name , :controller => 'user', :action => message_summary.sender.display_name %></td>
- <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to message_summary.title , :controller => 'message', :action => 'read', :message_id => message_summary.id %></td>
+ <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to h(message_summary.title) , :controller => 'message', :action => 'read', :message_id => message_summary.id %></td>
<td class="inbox-sent" bgcolor='<%= this_colour %>'><%= message_summary.sent_on %></td>
<% if message_summary.message_read? %>
<td><%= button_to 'Mark as unread', :controller => 'message', :action => 'mark', :message_id => message_summary.id, :mark => 'unread' %></td>
<tr class="inbox-row">
<td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to sent_message_summary.recipient.display_name , :controller => 'user', :action => sent_message_summary.recipient.display_name %></td>
- <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to sent_message_summary.title , :controller => 'message', :action => 'read', :message_id => sent_message_summary.id %></td>
+ <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to h(sent_message_summary.title) , :controller => 'message', :action => 'read', :message_id => sent_message_summary.id %></td>
<td class="inbox-sent" bgcolor='<%= this_colour %>'><%= sent_message_summary.sent_on %></td>
</tr>
</tr>
<tr>
<th></th>
- <td><%= h(@message.body) %></td>
+ <td><%= sanitize(@message.body) %></td>
</tr>
</table>
</tr>
<tr>
<th></th>
- <td><%= h(@message.body) %></td>
+ <td><%= sanitize(@message.body) %></td>
</tr>
</table>