From 9f909d7447b0d9327d9033a8c9ab0bc6e597bf80 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Tue, 15 Jan 2008 18:22:08 +0000 Subject: [PATCH] Add a few more escape calls to prevent nasty HTML being rendered. Also switch to using sanitize() instead of h() to escape message bodies. This is not quite as safe as there is no guarantee that the HTML scanner it uses will find everything, but is does allow benign HTML tags to be displayed again. --- app/views/diary_entry/_diary_entry.rhtml | 2 +- app/views/message/_message_summary.rhtml | 2 +- app/views/message/_sent_message_summary.rhtml | 2 +- app/views/message/read.rhtml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/app/views/diary_entry/_diary_entry.rhtml b/app/views/diary_entry/_diary_entry.rhtml index 97b533010..1574f6d5f 100644 --- a/app/views/diary_entry/_diary_entry.rhtml +++ b/app/views/diary_entry/_diary_entry.rhtml @@ -1,5 +1,5 @@ <%= h(diary_entry.title) %>
-<%= simple_format(h(diary_entry.body)) %> +<%= simple_format(sanitize(diary_entry.body)) %> <% if diary_entry.latitude and diary_entry.longitude %> Coordinates:
<%= diary_entry.latitude %>; <%= diary_entry.longitude %>
(<%=link_to 'map', :controller => 'site', :action => 'index', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %> / <%=link_to 'edit', :controller => 'site', :action => 'edit', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %>)
<% end %> diff --git a/app/views/message/_message_summary.rhtml b/app/views/message/_message_summary.rhtml index 02972728e..d1604e9b5 100644 --- a/app/views/message/_message_summary.rhtml +++ b/app/views/message/_message_summary.rhtml @@ -2,7 +2,7 @@ "> <%= link_to message_summary.sender.display_name , :controller => 'user', :action => message_summary.sender.display_name %> - <%= link_to message_summary.title , :controller => 'message', :action => 'read', :message_id => message_summary.id %> + <%= link_to h(message_summary.title) , :controller => 'message', :action => 'read', :message_id => message_summary.id %> <%= message_summary.sent_on %> <% if message_summary.message_read? %> <%= button_to 'Mark as unread', :controller => 'message', :action => 'mark', :message_id => message_summary.id, :mark => 'unread' %> diff --git a/app/views/message/_sent_message_summary.rhtml b/app/views/message/_sent_message_summary.rhtml index 69b14609a..9c117bdd6 100644 --- a/app/views/message/_sent_message_summary.rhtml +++ b/app/views/message/_sent_message_summary.rhtml @@ -2,6 +2,6 @@ <%= link_to sent_message_summary.recipient.display_name , :controller => 'user', :action => sent_message_summary.recipient.display_name %> - <%= link_to sent_message_summary.title , :controller => 'message', :action => 'read', :message_id => sent_message_summary.id %> + <%= link_to h(sent_message_summary.title) , :controller => 'message', :action => 'read', :message_id => sent_message_summary.id %> <%= sent_message_summary.sent_on %> diff --git a/app/views/message/read.rhtml b/app/views/message/read.rhtml index 2e2694c07..b3dcd1f23 100644 --- a/app/views/message/read.rhtml +++ b/app/views/message/read.rhtml @@ -17,7 +17,7 @@ - <%= h(@message.body) %> + <%= sanitize(@message.body) %> @@ -50,7 +50,7 @@ - <%= h(@message.body) %> + <%= sanitize(@message.body) %> -- 2.43.2