From 0d70728fe268981c5f6a852d6c3a48915ace48f5 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Tue, 4 Mar 2008 16:51:13 +0000
Subject: [PATCH] Escape user display names.

---
 app/views/message/_message_summary.rhtml      | 4 ++--
 app/views/message/_sent_message_summary.rhtml | 6 +++---
 app/views/message/new.rhtml                   | 2 +-
 app/views/message/read.rhtml                  | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/app/views/message/_message_summary.rhtml b/app/views/message/_message_summary.rhtml
index 381a6cce1..6d45d33dd 100644
--- a/app/views/message/_message_summary.rhtml
+++ b/app/views/message/_message_summary.rhtml
@@ -1,8 +1,8 @@
 <% this_colour = cycle('lightgrey', 'white') # can only call once for some dumb reason %>
 
 <tr class="inbox-row<%= "-unread" if not message_summary.message_read? %>">
-  <td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to message_summary.sender.display_name , :controller => 'user', :action => message_summary.sender.display_name %></td>
-  <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to  h(message_summary.title) , :controller => 'message', :action => 'read', :message_id => message_summary.id  %></td>
+  <td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to h(message_summary.sender.display_name), :controller => 'user', :action => message_summary.sender.display_name %></td>
+  <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to h(message_summary.title), :controller => 'message', :action => 'read', :message_id => message_summary.id  %></td>
   <td class="inbox-sent" bgcolor='<%= this_colour %>'><%= message_summary.sent_on %></td>
   <% if message_summary.message_read? %>
     <td><%= button_to 'Mark as unread', :controller => 'message', :action => 'mark', :message_id => message_summary.id, :mark => 'unread' %></td>
diff --git a/app/views/message/_sent_message_summary.rhtml b/app/views/message/_sent_message_summary.rhtml
index 9c117bdd6..f0d87aa27 100644
--- a/app/views/message/_sent_message_summary.rhtml
+++ b/app/views/message/_sent_message_summary.rhtml
@@ -1,7 +1,7 @@
 <% this_colour = cycle('lightgrey', 'white') # can only call once for some dumb reason %>
 
 <tr class="inbox-row">
-  <td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to sent_message_summary.recipient.display_name , :controller => 'user', :action => sent_message_summary.recipient.display_name %></td>
-  <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to  h(sent_message_summary.title) , :controller => 'message', :action => 'read', :message_id => sent_message_summary.id  %></td>
- <td class="inbox-sent" bgcolor='<%= this_colour %>'><%= sent_message_summary.sent_on %></td>
+  <td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to h(sent_message_summary.recipient.display_name), :controller => 'user', :action => sent_message_summary.recipient.display_name %></td>
+  <td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to h(sent_message_summary.title), :controller => 'message', :action => 'read', :message_id => sent_message_summary.id  %></td>
+  <td class="inbox-sent" bgcolor='<%= this_colour %>'><%= sent_message_summary.sent_on %></td>
 </tr>
diff --git a/app/views/message/new.rhtml b/app/views/message/new.rhtml
index 84b3bfdc8..d66e7caed 100644
--- a/app/views/message/new.rhtml
+++ b/app/views/message/new.rhtml
@@ -1,7 +1,7 @@
 <% display_name = User.find_by_id(params[:user_id]).display_name %>
 <% title = params[:message] ? params[:message][:title] : params[:title] %>
 
-<h2>Send a new message to <%= display_name %></h2>
+<h2>Send a new message to <%= h(display_name) %></h2>
 
 <% if params[:display_name] %>
 <p>Writing a new message to <%= h(params[:display_name]) %></p>  
diff --git a/app/views/message/read.rhtml b/app/views/message/read.rhtml
index 58a77ad46..d44859029 100644
--- a/app/views/message/read.rhtml
+++ b/app/views/message/read.rhtml
@@ -10,7 +10,7 @@
         <%= image_tag url_for_file_column(@message.sender, "image") %>
       <% end %>
   
-<%= link_to @message.sender.display_name, :controller => 'user', :action => 'view', :display_name => @message.sender.display_name %></td>
+<%= link_to h(@message.sender.display_name), :controller => 'user', :action => 'view', :display_name => @message.sender.display_name %></td>
   </tr>
   <tr>
     <th align="right">Subject</th>
@@ -43,7 +43,7 @@
 <table>
   <tr>
     <th align="right">To</th>
-    <td><%= link_to @message.recipient.display_name, :controller => 'user', :action => 'view', :display_name => @message.recipient.display_name %></td>
+    <td><%= link_to h(@message.recipient.display_name), :controller => 'user', :action => 'view', :display_name => @message.recipient.display_name %></td>
   </tr>
   <tr>
     <th align="right">Subject</th>
-- 
2.43.2