From 12785890180a9ee3e3cc88223615ccff2d966c42 Mon Sep 17 00:00:00 2001
From: Toshi MARUYAMA <marutosijp2@yahoo.co.jp>
Date: Fri, 29 Jul 2011 23:20:36 +0000
Subject: [PATCH] html_escape issue fields

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@6326 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/helpers/application_helper.rb | 2 +-
 app/views/issues/show.rhtml       | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 6d5a058dc..3b9a0f8eb 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -80,7 +80,7 @@ module ApplicationHelper
         subject = truncate(subject, :length => options[:truncate])
       end
     end
-    s = link_to "#{issue.tracker} ##{issue.id}", {:controller => "issues", :action => "show", :id => issue},
+    s = link_to "#{h(issue.tracker)} ##{issue.id}", {:controller => "issues", :action => "show", :id => issue},
                                                  :class => issue.css_classes,
                                                  :title => title
     s << ": #{h subject}" if subject
diff --git a/app/views/issues/show.rhtml b/app/views/issues/show.rhtml
index 9cdf3f64f..1f074e20c 100644
--- a/app/views/issues/show.rhtml
+++ b/app/views/issues/show.rhtml
@@ -17,11 +17,11 @@
 
 <table class="attributes">
 <tr>
-    <th class="status"><%=l(:field_status)%>:</th><td class="status"><%= @issue.status.name %></td>
+    <th class="status"><%=l(:field_status)%>:</th><td class="status"><%= h(@issue.status.name) %></td>
     <th class="start-date"><%=l(:field_start_date)%>:</th><td class="start-date"><%= format_date(@issue.start_date) %></td>
 </tr>
 <tr>
-    <th class="priority"><%=l(:field_priority)%>:</th><td class="priority"><%= @issue.priority.name %></td>
+    <th class="priority"><%=l(:field_priority)%>:</th><td class="priority"><%= h(@issue.priority.name) %></td>
     <th class="due-date"><%=l(:field_due_date)%>:</th><td class="due-date"><%= format_date(@issue.due_date) %></td>
 </tr>
 <tr>
@@ -29,7 +29,7 @@
     <th class="progress"><%=l(:field_done_ratio)%>:</th><td class="progress"><%= progress_bar @issue.done_ratio, :width => '80px', :legend => "#{@issue.done_ratio}%" %></td>
 </tr>
 <tr>
-    <th class="category"><%=l(:field_category)%>:</th><td class="category"><%=h @issue.category ? @issue.category.name : "-" %></td>
+    <th class="category"><%=l(:field_category)%>:</th><td class="category"><%=h(@issue.category ? @issue.category.name : "-") %></td>
     <% if User.current.allowed_to?(:view_time_entries, @project) %>
     <th class="spent-time"><%=l(:label_spent_time)%>:</th>
     <td class="spent-time"><%= @issue.spent_hours > 0 ? (link_to l_hours(@issue.spent_hours), {:controller => 'timelog', :action => 'index', :project_id => @project, :issue_id => @issue}) : "-" %></td>

<%=l(:field_status)%>:	<%= @issue.status.name %>	<%=l(:field_status)%>:	<%= h(@issue.status.name) %>	<%=l(:field_start_date)%>:	<%= format_date(@issue.start_date) %>
<%=l(:field_priority)%>:	<%= @issue.priority.name %>	<%=l(:field_priority)%>:	<%= h(@issue.priority.name) %>	<%=l(:field_due_date)%>:	<%= format_date(@issue.due_date) %>
<%=l(:field_done_ratio)%>:	<%= progress_bar @issue.done_ratio, :width => '80px', :legend => "#{@issue.done_ratio}%" %>
<%=l(:field_category)%>:	<%=h @issue.category ? @issue.category.name : "-" %>	<%=l(:field_category)%>:	<%=h(@issue.category ? @issue.category.name : "-") %>	<%=l(:label_spent_time)%>:	<%= @issue.spent_hours > 0 ? (link_to l_hours(@issue.spent_hours), {:controller => 'timelog', :action => 'index', :project_id => @project, :issue_id => @issue}) : "-" %>