From: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Date: Tue, 29 Sep 2009 09:23:11 +0000 (+0000)
Subject: Escape user-supplied JavaScript. Fixes http://lists.openstreetmap.org/pipermail/talk... 
X-Git-Tag: live~6661
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/019746068992d03c1bbf4f46282a552552ea9e0c?ds=sidebyside

Escape user-supplied JavaScript. Fixes http://lists.openstreetmap.org/pipermail/talk/2009-September/042846.ht
---

diff --git a/app/views/site/edit.html.erb b/app/views/site/edit.html.erb
index 948b1fad5..d3258c9cf 100644
--- a/app/views/site/edit.html.erb
+++ b/app/views/site/edit.html.erb
@@ -65,7 +65,7 @@ zoom='14' if zoom.nil?
   
   window.onbeforeunload=function() {
     if (!changesaved) {
-      return "<%= t 'site.edit.potlatch_unsaved_changes' %>";
+      return '#{escape_javascript(t('site.edit.potlatch_unsaved_changes'))}';
     }
   }