title/heading & XSS fix for /edit

2009-10-01 19:45:36 +00:00 · 2009-10-01 19:45:36 +00:00 · 1cea0df3d8
commit 1cea0df3d8
parent c6f844603d
2 changed files with 7 additions and 2 deletions
--- a/app/views/user_blocks/edit.html.erb
+++ b/app/views/user_blocks/edit.html.erb
@ -1,4 +1,8 @@
-<h1><%= t('user_block.edit.title', :name => @user_block.user.display_name) %></h1>
+<% @title = t 'user_block.edit.title', :name => h(@user_block.user.display_name) %>
+<h1><%= t('user_block.edit.title',
+          :name => link_to(
+                           h(@user_block.user.display_name),
+                           {:controller => 'user', :action => 'view', :display_name => @user_block.user.display_name})) %></h1>

 <% form_for(@user_block) do |f| %>
  <%= f.error_messages %>