HTML escape substituted parameter values to avoid injection attacks.

2007-11-23 00:49:55 +00:00 · 2007-11-23 00:49:55 +00:00 · 2cbcabb3f6
commit 2cbcabb3f6
parent 7b172efeb6
7 changed files with 39 additions and 37 deletions
--- a/app/views/message/new.rhtml
+++ b/app/views/message/new.rhtml
@ -3,7 +3,7 @@
 <h2>Send a new message to <%= display_name %></h2>

 <% if params[:display_name] %>
-<p>Writing a new message to <%= params[:display_name] %></p>  
+<p>Writing a new message to <%= h(params[:display_name]) %></p>  
 <p>TODO: drop down box of your friends</p>
 <%end%>