From: Tom Hughes <tom@compton.nu>
Date: Fri, 23 Nov 2007 00:49:55 +0000 (+0000)
Subject: HTML escape substituted parameter values to avoid injection attacks.
X-Git-Tag: live~8036
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/2cbcabb3f6992904903a72dfbcef624bd391a314

HTML escape substituted parameter values to avoid injection attacks.
---

diff --git a/app/views/diary_entry/new.rhtml b/app/views/diary_entry/new.rhtml
index 69995d00e..d93e3e023 100644
--- a/app/views/diary_entry/new.rhtml
+++ b/app/views/diary_entry/new.rhtml
@@ -23,13 +23,13 @@
 <% end %>
 
 <% if @user.home_lat.nil? or @user.home_lon.nil? %>
-  <% lon =  params['lon'] || '-0.1' %>
-  <% lat =  params['lat'] || '51.5' %>
-  <% zoom =  params['zoom'] || '4' %> 
+  <% lon = h(params['lon']) || '-0.1' %>
+  <% lat = h(params['lat']) || '51.5' %>
+  <% zoom = h(params['zoom']) || '4' %> 
 <% else %>
-  <% lon =  @user.home_lon %>
-  <% lat =  @user.home_lat %>
-  <% zoom =  '12' %>
+  <% lon = @user.home_lon %>
+  <% lat = @user.home_lat %>
+  <% zoom = '12' %>
 <% end %>
 
 <script type="text/javascript" src="/openlayers/OpenLayers.js"></script>
@@ -68,4 +68,4 @@
 
   window.onload = init;
 // -->
-</script>
\ No newline at end of file
+</script>
diff --git a/app/views/message/new.rhtml b/app/views/message/new.rhtml
index 883fdfbc0..27c501322 100644
--- a/app/views/message/new.rhtml
+++ b/app/views/message/new.rhtml
@@ -3,7 +3,7 @@
 <h2>Send a new message to <%= display_name %></h2>
 
 <% if params[:display_name] %>
-<p>Writing a new message to <%= params[:display_name] %></p>  
+<p>Writing a new message to <%= h(params[:display_name]) %></p>  
 <p>TODO: drop down box of your friends</p>
 <%end%>
 
diff --git a/app/views/site/_search.rhtml b/app/views/site/_search.rhtml
index 19b4ca2d1..bdfc2fb57 100644
--- a/app/views/site/_search.rhtml
+++ b/app/views/site/_search.rhtml
@@ -24,7 +24,7 @@
   <% if params[:query] %>
   <%= remote_function(:loading => "startSearch()",
                       :complete => "endSearch()",
-                      :url => { :controller => :geocoder, :action => :search, :query => params[:query] }) %>
+                      :url => { :controller => :geocoder, :action => :search, :query => h(params[:query]) }) %>
   <% end %>
 // -->
 </script>
@@ -38,7 +38,7 @@
     <% form_remote_tag(:loading => "startSearch()",
                        :complete => "endSearch()",
                        :url => { :controller => :geocoder, :action => :search }) do %>
-      <%= text_field_tag :query, params[:query] %>
+      <%= text_field_tag :query, h(params[:query]) %>
     <% end %>
     </span>
     <p id="search_active">Searching...</p>
diff --git a/app/views/site/edit.rhtml b/app/views/site/edit.rhtml
index de2764115..16c2ef3f2 100644
--- a/app/views/site/edit.rhtml
+++ b/app/views/site/edit.rhtml
@@ -24,17 +24,17 @@
 <% session[:token] = @user.tokens.create.token unless session[:token] %>
 
 <% if params['mlon'] and params['mlat'] %>
-<% lon =  params['mlon'] %>
-<% lat =  params['mlat']  %>
-<% zoom =  params['zoom'] || '12' %>
+<% lon =  h(params['mlon']) %>
+<% lat =  h(params['mlat'])  %>
+<% zoom =  h(params['zoom']) || '12' %>
 <% elsif @user and params['lon'].nil? and params['lat'].nil? %> 
 <% lon =  @user.home_lon %>
 <% lat =  @user.home_lat %>
 <% zoom = '12' %>
 <%else%>
-<% lon =  params['lon'] || '-0.1' %>
-<% lat =  params['lat'] || '51.5' %>
-<% zoom =  params['zoom'] || '12' %>
+<% lon =  h(params['lon']) || '-0.1' %>
+<% lat =  h(params['lat']) || '51.5' %>
+<% zoom =  h(params['zoom']) || '12' %>
 <% end %>
 
 <div id="map">You need a Flash player to use Potlatch, the
@@ -54,7 +54,9 @@
     fo.addVariable('long',lon);
     fo.addVariable('scale',sc);
     fo.addVariable('token','<%= session[:token] %>');
-<% if params['gpx'] %>    fo.addVariable('gpx','<%= params['gpx']+"/data" %>'); <% end %>
+    <% if params['gpx'] %>
+    fo.addVariable('gpx','<%= h(params['gpx']) + "/data" %>');
+    <% end %>
     fo.write("map");
   }
 
diff --git a/app/views/site/index.rhtml b/app/views/site/index.rhtml
index 98ab2ff1a..395c851d4 100644
--- a/app/views/site/index.rhtml
+++ b/app/views/site/index.rhtml
@@ -28,28 +28,28 @@ by the OpenStreetMap project and it's contributors.
 
 <% if params['mlon'] and params['mlat'] %>
 <% marker = true %>
-<% mlon = params['mlon'] %> 
-<% mlat = params['mlat'] %>
+<% mlon = h(params['mlon']) %> 
+<% mlat = h(params['mlat']) %>
 <% end %>
 
 <% if params['minlon'] and params['minlat'] and params['maxlon'] and params['maxlat'] %>
 <% bbox = true %>
-<% minlon = params['minlon'] %>
-<% minlat = params['minlat'] %>
-<% maxlon = params['maxlon'] %>
-<% maxlat = params['maxlat'] %>
+<% minlon = h(params['minlon']) %>
+<% minlat = h(params['minlat']) %>
+<% maxlon = h(params['maxlon']) %>
+<% maxlat = h(params['maxlat']) %>
 <% end %>
 
 <% if params['lon'] and params['lat'] %>
-<% lon =  params['lon'] %>
-<% lat =  params['lat'] %>
-<% zoom =  params['zoom'] || '5' %>
-<% layers = params['layers'] %>
+<% lon =  h(params['lon']) %>
+<% lat =  h(params['lat']) %>
+<% zoom =  h(params['zoom']) || '5' %>
+<% layers = h(params['layers']) %>
 <% elsif params['mlon'] and params['mlat'] %>
-<% lon = params['mlon'] %> 
-<% lat = params['mlat'] %>
-<% zoom =  params['zoom'] || '12' %>
-<% layers = params['layers'] %>
+<% lon = h(params['mlon']) %> 
+<% lat = h(params['mlat']) %>
+<% zoom =  h(params['zoom']) || '12' %>
+<% layers = h(params['layers']) %>
 <% elsif cookies.key?("location") %>
 <% lon,lat,zoom,layers = cookies["location"].value.first.split(",") %>
 <% elsif @user and !@user.home_lon.nil? and !@user.home_lat.nil? %> 
@@ -67,8 +67,8 @@ by the OpenStreetMap project and it's contributors.
 <% else %>
 <% lon =  '-0.1' %>
 <% lat =  '51.5' %>
-<% zoom =  params['zoom'] || '5' %>
-<% layers = params['layers'] %>
+<% zoom =  h(params['zoom']) || '5' %>
+<% layers = h(params['layers']) %>
 <% end %>
 <% end %>
 
diff --git a/app/views/user/account.rhtml b/app/views/user/account.rhtml
index b25cb0071..1a18c90b2 100644
--- a/app/views/user/account.rhtml
+++ b/app/views/user/account.rhtml
@@ -34,9 +34,9 @@
 </script>
 
 <% if @user.home_lat.nil? or @user.home_lon.nil? %>
-  <% lon =  params['lon'] || '-0.1' %>
-  <% lat =  params['lat'] || '51.5' %>
-  <% zoom =  params['zoom'] || '4' %> 
+  <% lon = h(params['lon']) || '-0.1' %>
+  <% lat = h(params['lat']) || '51.5' %>
+  <% zoom = h(params['zoom']) || '4' %> 
 <% else %>
   <% marker = true %>
   <% mlon = @user.home_lon %> 
diff --git a/app/views/user/login.rhtml b/app/views/user/login.rhtml
index 215385c36..5c6ec3ec5 100644
--- a/app/views/user/login.rhtml
+++ b/app/views/user/login.rhtml
@@ -2,7 +2,7 @@
 Please login or <%= link_to 'create an account', :controller => 'user', :action => 'new' %>.<br />
 
 <% form_tag :action => 'login' do %>
-<%= hidden_field_tag('referer', params[:referer]) %>
+<%= hidden_field_tag('referer', h(params[:referer])) %>
 <table>
   <tr><td>Email Address:</td><td><%= text_field('user', 'email',{:size => 50, :maxlength => 255}) %></td></tr>
   <tr><td>Password:</td><td><%= password_field('user', 'password',{:size => 50, :maxlength => 255}) %></td></tr>

Email Address:	<%= text_field('user', 'email',{:size => 50, :maxlength => 255}) %>
Password:	<%= password_field('user', 'password',{:size => 50, :maxlength => 255}) %>