From: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Date: Thu, 1 Oct 2009 20:02:54 +0000 (+0000)
Subject: use h() to avoid XSS in usernames
X-Git-Tag: live~6604^2~15
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/78e0ec74f74721a2652b7c950d0aa501363bceef?ds=sidebyside

use h() to avoid XSS in usernames
---

diff --git a/app/views/user_blocks/edit.html.erb b/app/views/user_blocks/edit.html.erb
index 66123e717..c52c94818 100644
--- a/app/views/user_blocks/edit.html.erb
+++ b/app/views/user_blocks/edit.html.erb
@@ -8,7 +8,7 @@
   <%= f.error_messages %>
 
   <p>
-    <%= f.label :reason, t('user_block.edit.reason', :name => @user_block.user.display_name) %><br />
+    <%= f.label :reason, t('user_block.edit.reason', :name => h(@user_block.user.display_name)) %><br />
     <%= f.text_area :reason %>
   </p>
   <p>
diff --git a/app/views/user_blocks/new.html.erb b/app/views/user_blocks/new.html.erb
index 3d0d2d0bf..470d60e8f 100644
--- a/app/views/user_blocks/new.html.erb
+++ b/app/views/user_blocks/new.html.erb
@@ -1,4 +1,4 @@
-<h1><%= t('user_block.new.title', :name => @this_user.display_name) %></h1>
+<h1><%= t('user_block.new.title', :name => h(@this_user.display_name)) %></h1>
 
 <% form_for(@user_block) do |f| %>
   <%= f.error_messages %>