When someone went to /message/new/:user the "Subject" are would be
pre-filled out with t('message.new.title'). The problem was that the
@title template variable was being used for two purposes, to set the
HTML <title> AND to pre-fill out the subject.
We don't always want these two to be the same, but sometimes we
do. E.g. when someone replies to a diary entry and visits
/message/new/:user?title=Foo we want Foo in the <title> and in the
pre-filled out Subject, and the same goes for replying to a message.
So I've split up the @title variable into @title and @subject.
The following pages now have a <title> that can be set in localizations:
* /user/USER_DOES_NOT_EXIST
* /user/USER_DOES_NOT_EXIST/diary
* /user/USER_DOES_NOT_EXIST/traces
* /message/*/ID_DOES_NOT_EXIST
In addition I've cleaned up the i18n message keys of all the
''no_such_user.rhtml'' pages involved. They now all use
title/heading/body for the <title>, <h2> and <p> respectively. And the
message key {{user}} instead of {{name}}.
no effect as there is no such attribute defined, but Opera seems to
decide that it should post the form to that URL instead of the one
give on the form element.
switch to using sanitize() instead of h() to escape message bodies. This
is not quite as safe as there is no guarantee that the HTML scanner it
uses will find everything, but is does allow benign HTML tags to be
displayed again.
has decided to report this XSS problem to a public mailing list. Unfortunately
it means that some functionality (links in messages etc) has been lost for now.
