Escape user names in diary views.

app/views/diary_entry/_diary_comment.rhtml

@@ -1,3 +1,3 @@
-<h4 id="comment<%= diary_comment.id %>">Comment from <%= link_to diary_comment.user.display_name, :controller => 'user', :action => 'view', :display_name => diary_comment.user.display_name %>  at <%= diary_comment.created_at %></h4>
+<h4 id="comment<%= diary_comment.id %>">Comment from <%= link_to h(diary_comment.user.display_name), :controller => 'user', :action => 'view', :display_name => diary_comment.user.display_name %>  at <%= diary_comment.created_at %></h4>
 <%= htmlize(diary_comment.body) %>
 <hr />

app/views/diary_entry/_diary_entry.rhtml

@@ -3,7 +3,7 @@
 <% if diary_entry.latitude and diary_entry.longitude %>
 Coordinates: <div class="geo" style="display: inline"><span class="latitude"><%= diary_entry.latitude %></span>; <span class="longitude"><%= diary_entry.longitude %></span></div> (<%=link_to 'map', :controller => 'site', :action => 'index', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %> / <%=link_to 'edit', :controller => 'site', :action => 'edit', :lat => diary_entry.latitude, :lon => diary_entry.longitude, :zoom => 14 %>)<br/>
 <% end %>
-Posted by <b><%= link_to diary_entry.user.display_name, :controller => 'user', :action => 'view', :display_name => diary_entry.user.display_name %></b> at <%= diary_entry.created_at %><br />
+Posted by <b><%= link_to h(diary_entry.user.display_name), :controller => 'user', :action => 'view', :display_name => diary_entry.user.display_name %></b> at <%= diary_entry.created_at %><br />
 <% if params[:action] == 'list' %>
 <%= link_to 'Comment on this entry', :action => 'view', :display_name => diary_entry.user.display_name, :id => diary_entry.id, :anchor => 'newcomment' %>
 |

app/views/diary_entry/view.rhtml

@@ -1,4 +1,4 @@
-<h2><%= @entry.user.display_name %>'s diary</h2>
+<h2><%= h(@entry.user.display_name) %>'s diary</h2>
 
 <%= render :partial => 'diary_entry', :object => @entry %>