From: Ævar Arnfjörð Bjarmason Date: Thu, 1 Oct 2009 19:45:36 +0000 (+0000) Subject: title/heading & XSS fix for /edit X-Git-Tag: live~6568^2~18 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/1cea0df3d8ca8c900b7e23b90ef90ea7dda4f320 title/heading & XSS fix for /edit --- diff --git a/app/views/user_blocks/edit.html.erb b/app/views/user_blocks/edit.html.erb index c3111367d..66123e717 100644 --- a/app/views/user_blocks/edit.html.erb +++ b/app/views/user_blocks/edit.html.erb @@ -1,4 +1,8 @@ -

<%= t('user_block.edit.title', :name => @user_block.user.display_name) %>

+<% @title = t 'user_block.edit.title', :name => h(@user_block.user.display_name) %> +

<%= t('user_block.edit.title', + :name => link_to( + h(@user_block.user.display_name), + {:controller => 'user', :action => 'view', :display_name => @user_block.user.display_name})) %>

<% form_for(@user_block) do |f| %> <%= f.error_messages %> diff --git a/config/locales/en.yml b/config/locales/en.yml index 6d038a252..10e372bf2 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1042,12 +1042,13 @@ en: title: "Creating block on {{name}}" needs_view: "Does the user need to log in before this block will be cleared?" edit: + title: "Editing block on {{name}}" + heading: "Editing block on {{name}}" reason: "The reason why {{name}} is being blocked. Please be as calm and as reasonable as possible, giving as much detail as you can about the situation. Bear in mind that not all users understand the community jargon, so please try to use laymans terms." period: "How long, starting now, the user will be blocked from the API for." submit: "Update block" show: "Show" back: "Back" - title: "Editing block on {{name}}" needs_view: "Does the user need to log in before this block will be cleared?" filter: not_a_moderator: "You need to be a moderator to perform that action."