From: Tom Hughes <tom@compton.nu>
Date: Mon, 14 Sep 2009 23:17:02 +0000 (+0000)
Subject: Escape tag values - there is no reason at all to render things which
X-Git-Tag: live~6675
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/920052039526e0a7a5bdae59c4e9cd69dd5c904a

Escape tag values - there is no reason at all to render things which
might look like HTML tags in a tag value.
---

diff --git a/app/views/browse/_tag.html.erb b/app/views/browse/_tag.html.erb
index a9a122e6d..5724b0646 100644
--- a/app/views/browse/_tag.html.erb
+++ b/app/views/browse/_tag.html.erb
@@ -1,3 +1,3 @@
 <tr>
-  <td><%= h(tag[0]) %> = <%= sanitize(auto_link(tag[1])) %></td>
+  <td><%= h(tag[0]) %> = <%= auto_link(h(tag[1])) %></td>
 </tr> 
diff --git a/app/views/changeset/list.atom.builder b/app/views/changeset/list.atom.builder
index 82309ee53..7905ac773 100644
--- a/app/views/changeset/list.atom.builder
+++ b/app/views/changeset/list.atom.builder
@@ -68,7 +68,7 @@ atom_feed(:language => I18n.locale, :schema_date => 2009,
                 td.table :cellpadding => "0" do |table|
                   changeset.tags.sort.each do |tag|
                     table.tr do |tr|
-                      tr.td "#{h(tag[0])} = #{sanitize(tag[1])}"
+                      tr.td "#{h(tag[0])} = #{auto_link(h(tag[1]))}"
                     end
                   end
                 end