From 1e54573bae7eed568e99ebc0b0d448170f08c880 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Tue, 15 Jan 2008 00:26:01 +0000
Subject: [PATCH 1/1] Escape message titles and bodies. This is an emergency
 fix as some genius has decided to report this XSS problem to a public mailing
 list. Unfortunately it means that some functionality (links in messages etc)
 has been lost for now.

---
 app/views/diary_entry/_diary_entry.rhtml | 4 ++--
 app/views/message/read.rhtml             | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/views/diary_entry/_diary_entry.rhtml b/app/views/diary_entry/_diary_entry.rhtml
index 366a67f0e..97b533010 100644
--- a/app/views/diary_entry/_diary_entry.rhtml
+++ b/app/views/diary_entry/_diary_entry.rhtml
@@ -1,5 +1,5 @@
-<b><%= diary_entry.title %></b><br />
-<%= simple_format(diary_entry.body) %>
+<b><%= h(diary_entry.title) %></b><br />
+<%= simple_format(h(diary_entry.body)) %>
 <% if diary_entry.latitude and diary_entry.longitude %>
 Coordinates: <div class="geo" style="display: inline"><span class="latitude"><%= diary_entry.latitude %></span>; <span class="longitude"><%= diary_entry.longitude %></span></div> (<%=link_to 'map', :controller => 'site', :action => 'index', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %> / <%=link_to 'edit', :controller => 'site', :action => 'edit', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %>)<br/>
 <% end %>
diff --git a/app/views/message/read.rhtml b/app/views/message/read.rhtml
index 4117057d0..2e2694c07 100644
--- a/app/views/message/read.rhtml
+++ b/app/views/message/read.rhtml
@@ -9,7 +9,7 @@
   </tr>
   <tr>
     <th align="right">Subject</th>
-    <td><%= @message.title %></td>
+    <td><%= h(@message.title) %></td>
   </tr>
   <tr>
     <th align="right">Date</th>
@@ -17,7 +17,7 @@
   </tr>
   <tr>
     <th></th>
-    <td><%= @message.body %></td>
+    <td><%= h(@message.body) %></td>
   </tr>
 </table>
 
@@ -42,7 +42,7 @@
   </tr>
   <tr>
     <th align="right">Subject</th>
-    <td><%= @message.title %></td>
+    <td><%= h(@message.title) %></td>
   </tr>
   <tr>
     <th align="right">Date</th>
@@ -50,7 +50,7 @@
   </tr>
   <tr>
     <th></th>
-    <td><%= @message.body %></td>
+    <td><%= h(@message.body) %></td>
   </tr>
 </table>
 
-- 
2.43.2