Escape message titles and bodies. This is an emergency fix as some genius

has decided to report this XSS problem to a public mailing list. Unfortunately it means that some functionality (links in messages etc) has been lost for now.
2008-01-15 00:26:01 +00:00 · 2008-01-15 00:26:01 +00:00 · 1e54573bae
commit 1e54573bae
parent bc309badb8
2 changed files with 6 additions and 6 deletions
--- a/app/views/message/read.rhtml
+++ b/app/views/message/read.rhtml
@ -9,7 +9,7 @@
  </tr>
  <tr>
    <th align="right">Subject</th>
-    <td><%= @message.title %></td>
+    <td><%= h(@message.title) %></td>
  </tr>
  <tr>
    <th align="right">Date</th>
@ -17,7 +17,7 @@
  </tr>
  <tr>
    <th></th>
-    <td><%= @message.body %></td>
+    <td><%= h(@message.body) %></td>
  </tr>
 </table>

@ -42,7 +42,7 @@
  </tr>
  <tr>
    <th align="right">Subject</th>
-    <td><%= @message.title %></td>
+    <td><%= h(@message.title) %></td>
  </tr>
  <tr>
    <th align="right">Date</th>
@ -50,7 +50,7 @@
  </tr>
  <tr>
    <th></th>
-    <td><%= @message.body %></td>
+    <td><%= h(@message.body) %></td>
  </tr>
 </table>