From a6089e5355e383513b8be98ba9466f5024a32069 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Tue, 4 Mar 2008 16:53:08 +0000
Subject: [PATCH] More display name escaping.

---
 app/views/layouts/site.rhtml | 2 +-
 app/views/user/view.rhtml    | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/views/layouts/site.rhtml b/app/views/layouts/site.rhtml
index 7a11ae101..0d1c24df2 100644
--- a/app/views/layouts/site.rhtml
+++ b/app/views/layouts/site.rhtml
@@ -20,7 +20,7 @@
 
     <span id="greeting">
       <% if @user and @user.id %>
-        Welcome, <%= link_to @user.display_name, {:controller => 'user', :action => 'view', :display_name => @user.display_name}%> | 
+        Welcome, <%= link_to h(@user.display_name), {:controller => 'user', :action => 'view', :display_name => @user.display_name}%> | 
         <% @inbox_weight = 'bold' if @user.new_messages.size > 0 %>
         <%= yield :greeting %>
         <%= link_to "inbox (#{@user.new_messages.size})", {:controller => 'message', :action => 'inbox', :display_name => @user.display_name}, {:style => "font-weight: #{@inbox_weight};" } %> |
diff --git a/app/views/user/view.rhtml b/app/views/user/view.rhtml
index 965efa6bc..f27ce6f0a 100644
--- a/app/views/user/view.rhtml
+++ b/app/views/user/view.rhtml
@@ -1,5 +1,5 @@
 <% @this_user = User.find_by_display_name(@this_user.display_name) %>
-<h2><%= @this_user.display_name %></h2>
+<h2><%= h(@this_user.display_name) %></h2>
 <div id="userinformation">
 <% if @user and @this_user.id == @user.id %>
 <%= link_to 'my diary', :controller => 'diary_entry', :action => 'list', :display_name => @user.display_name %>
@@ -58,7 +58,7 @@
         <%= image_tag url_for_file_column(@friend, "image") %>
       <% end %>
       </td>
-      <td class="username"><%= link_to @friend.display_name, :controller => 'user', :action => 'view',  :display_name => @friend.display_name %></td>
+      <td class="username"><%= link_to h(@friend.display_name), :controller => 'user', :action => 'view',  :display_name => @friend.display_name %></td>
       <td><% if @friend.home_lon and @friend.home_lat %><%= @this_user.distance(@friend).round %>km away<% end %></td>
       <td class="message">(<%= link_to 'send message', :controller => 'message', :action => 'new', :user_id => @friend.id %>)</td>
       </tr>
@@ -80,7 +80,7 @@
       <table id="nearbyusers">
       <% @this_user.nearby.each do |nearby| %>
       <tr>
-      <td class="username"><%= link_to nearby.display_name, :controller => 'user', :action => 'view',  :display_name => nearby.display_name %></td>
+      <td class="username"><%= link_to h(nearby.display_name), :controller => 'user', :action => 'view',  :display_name => nearby.display_name %></td>
       <td><%= @this_user.distance(nearby).round %>km away</td>
       <td class="message">(<%= link_to 'send message', :controller => 'message', :action => 'new', :user_id => nearby.id %>)</td>
       </tr>
-- 
2.43.2