Escape tag values - there is no reason at all to render things which

might look like HTML tags in a tag value.
2009-09-14 23:17:02 +00:00 · 2009-09-14 23:17:02 +00:00 · 9200520395
commit 9200520395
parent 253e8a272d
2 changed files with 2 additions and 2 deletions
--- a/app/views/browse/_tag.html.erb
+++ b/app/views/browse/_tag.html.erb
@ -1,3 +1,3 @@
 <tr>
-  <td><%= h(tag[0]) %> = <%= sanitize(auto_link(tag[1])) %></td>
+  <td><%= h(tag[0]) %> = <%= auto_link(h(tag[1])) %></td>
 </tr> 
--- a/app/views/changeset/list.atom.builder
+++ b/app/views/changeset/list.atom.builder
@ -68,7 +68,7 @@ atom_feed(:language => I18n.locale, :schema_date => 2009,
                td.table :cellpadding => "0" do |table|
                  changeset.tags.sort.each do |tag|
                    table.tr do |tr|
-                      tr.td "#{h(tag[0])} = #{sanitize(tag[1])}"
+                      tr.td "#{h(tag[0])} = #{auto_link(h(tag[1]))}"
                    end
                  end
                end