cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add a few more escape calls to prevent nasty HTML being rendered. Also

Browse source 
switch to using sanitize() instead of h() to escape message bodies. This
is not quite as safe as there is no guarantee that the HTML scanner it
uses will find everything, but is does allow benign HTML tags to be
displayed again.
This commit is contained in:
Tom Hughes 2008-01-15 18:22:08 +00:00
parent 77b5ad459a
commit 9f909d7447
4 changed files with 5 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/views/diary_entry/_diary_entry.rhtml
View file

@ -1,5 +1,5 @@
<b><%= h(diary_entry.title) %></b><br />
<%= simple_format(h(diary_entry.body)) %>
<%= simple_format(sanitize(diary_entry.body)) %>
<% if diary_entry.latitude and diary_entry.longitude %>
Coordinates: <div class="geo" style="display: inline"><span class="latitude"><%= diary_entry.latitude %></span>; <span class="longitude"><%= diary_entry.longitude %></span></div> (<%=link_to 'map', :controller => 'site', :action => 'index', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %> / <%=link_to 'edit', :controller => 'site', :action => 'edit', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %>)<br/>
<% end %>

2
app/views/message/_message_summary.rhtml
View file

@ -2,7 +2,7 @@
<tr class="inbox-row<%= "-unread" if not message_summary.message_read? %>">
<td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to message_summary.sender.display_name , :controller => 'user', :action => message_summary.sender.display_name %></td>
<td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to message_summary.title , :controller => 'message', :action => 'read', :message_id => message_summary.id %></td>
<td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to h(message_summary.title) , :controller => 'message', :action => 'read', :message_id => message_summary.id %></td>
<td class="inbox-sent" bgcolor='<%= this_colour %>'><%= message_summary.sent_on %></td>
<% if message_summary.message_read? %>
<td><%= button_to 'Mark as unread', :controller => 'message', :action => 'mark', :message_id => message_summary.id, :mark => 'unread' %></td>

2
app/views/message/_sent_message_summary.rhtml
View file

@ -2,6 +2,6 @@
<tr class="inbox-row">
<td class="inbox-sender" bgcolor='<%= this_colour %>'><%= link_to sent_message_summary.recipient.display_name , :controller => 'user', :action => sent_message_summary.recipient.display_name %></td>
<td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to sent_message_summary.title , :controller => 'message', :action => 'read', :message_id => sent_message_summary.id %></td>
<td class="inbox-subject" bgcolor='<%= this_colour %>'><%= link_to h(sent_message_summary.title) , :controller => 'message', :action => 'read', :message_id => sent_message_summary.id %></td>
<td class="inbox-sent" bgcolor='<%= this_colour %>'><%= sent_message_summary.sent_on %></td>
</tr>

4
app/views/message/read.rhtml
View file

@ -17,7 +17,7 @@
</tr>
<tr>
<th></th>
<td><%= h(@message.body) %></td>
<td><%= sanitize(@message.body) %></td>
</tr>
</table>
@ -50,7 +50,7 @@
</tr>
<tr>
<th></th>
<td><%= h(@message.body) %></td>
<td><%= sanitize(@message.body) %></td>
</tr>
</table>