From: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Date: Thu, 1 Oct 2009 18:49:38 +0000 (+0000)
Subject:  * use h() on username to avoid XSS
X-Git-Tag: live~6568^2~23
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/268a2cd47470f5cb140258500a94d4cd033e1412?hp=4f92ce1243a2fd1ddaf77d79a30596275eaac0bc;ds=sidebyside

 * use h() on username to avoid XSS
 * Link to username in <h1>
 * Set <title> on /blocks and /blocks_by
---

diff --git a/app/views/user_blocks/blocks_by.html.erb b/app/views/user_blocks/blocks_by.html.erb
index d49a74c0a..0140534c4 100644
--- a/app/views/user_blocks/blocks_by.html.erb
+++ b/app/views/user_blocks/blocks_by.html.erb
@@ -1,3 +1,4 @@
-<h1><%= t('user_block.blocks_by.heading', :name => @this_user.display_name) %></h1>
+<% @title = t('user_block.blocks_by.title', :name => h(@this_user.display_name)) %>
+<h1><%= t('user_block.blocks_by.heading', :name => link_to(h(@this_user.display_name), {:controller => 'user', :action => 'view', :display_name => @this_user.display_name})) %></h1>
 
 <%= render :partial => 'blocks', :locals => { :show_revoke_link => (@user and @user.moderator?), :show_user_name => true, :show_creator_name => false } %>
diff --git a/app/views/user_blocks/blocks_on.html.erb b/app/views/user_blocks/blocks_on.html.erb
index 8d4684339..f4632e998 100644
--- a/app/views/user_blocks/blocks_on.html.erb
+++ b/app/views/user_blocks/blocks_on.html.erb
@@ -1,3 +1,4 @@
-<h1><%= t('user_block.blocks_on.heading', :name => @this_user.display_name) %></h1>
+<% @title = t('user_block.blocks_on.title', :name => h(@this_user.display_name)) %>
+<h1><%= t('user_block.blocks_on.heading', :name => link_to(h(@this_user.display_name), {:controller => 'user', :action => 'view', :display_name => @this_user.display_name})) %></h1>
 
 <%= render :partial => 'blocks', :locals => { :show_revoke_link => (@user and @user.moderator?), :show_user_name => false, :show_creator_name => true } %>
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 529b66ea5..412d9259f 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1088,9 +1088,11 @@ en:
       until_login: "Active until the user logs in."
       time_past: "Ended {{time}} ago."
     blocks_on:
-      heading: "List blocks on {{name}}"
+      title: "Blocks on {{name}}"
+      heading: "List of blocks on {{name}}"
     blocks_by:
-      heading: "List blocks by {{name}}"
+      title: "Blocks by {{name}}"
+      heading: "List of blocks by {{name}}"
     show:
       heading: "Block on {{block_on}} by {{block_by}}"
       time_future: "Ends in {{time}}"