Escapes HTML tags.

git-svn-id: http://redmine.rubyforge.org/svn/trunk@1612 e93f8b46-1217-0410-a6f0-8f06a7374b81
2008-07-02 17:27:16 +00:00 · 2008-07-02 17:27:16 +00:00 · 9703f576d9
parent be57c20cd8
commit 9703f576d9
4 changed files with 9 additions and 9 deletions
--- a/app/views/account/show.rhtml
+++ b/app/views/account/show.rhtml
@ -1,7 +1,7 @@
 <h2><%=h @user.name %></h2>
 <p>
-<%= mail_to @user.mail unless @user.pref.hide_mail %>
+<%= mail_to(h(@user.mail)) unless @user.pref.hide_mail %>
 <ul>
    <li><%=l(:label_registered_on)%>: <%= format_date(@user.created_on) %></li>
 <% for custom_value in @custom_values %>
@ -16,8 +16,8 @@
 <h3><%=l(:label_project_plural)%></h3>
 <ul>
 <% for membership in @memberships %>
-	<li><%= link_to membership.project.name, :controller => 'projects', :action => 'show', :id => membership.project %>
+	<li><%= link_to(h(membership.project.name), :controller => 'projects', :action => 'show', :id => membership.project) %>
-    (<%= membership.role.name %>, <%= format_date(membership.created_on) %>)</li>
+    (<%=h membership.role.name %>, <%= format_date(membership.created_on) %>)</li>
 <% end %>
 </ul>
 <% end %>
--- a/app/views/projects/show.rhtml
+++ b/app/views/projects/show.rhtml
@ -3,7 +3,7 @@
 <div class="splitcontentleft">
 	<%= textilizable @project.description %>	
 	<ul>
-	<% unless @project.homepage.blank? %><li><%=l(:field_homepage)%>: <%= auto_link @project.homepage %></li><% end %>
+	<% unless @project.homepage.blank? %><li><%=l(:field_homepage)%>: <%= auto_link(h(@project.homepage)) %></li><% end %>
    <% if @subprojects.any? %>
 	<li><%=l(:label_subproject_plural)%>: <%= @subprojects.collect{|p| link_to(h(p.name), :action => 'show', :id => p)}.join(", ") %></li>
    <% end %>
--- a/app/views/users/list.rhtml
+++ b/app/views/users/list.rhtml
@ -26,10 +26,10 @@
  <tbody>
 <% for user in @users -%>
  <tr class="user <%= cycle("odd", "even") %> <%= %w(anon active registered locked)[user.status] %>">
-	<td class="username"><%= link_to user.login, :action => 'edit', :id => user %></td>
+	<td class="username"><%= link_to h(user.login), :action => 'edit', :id => user %></td>
-	<td class="firstname"><%= user.firstname %></td>
+	<td class="firstname"><%= h(user.firstname) %></td>
-	<td class="lastname"><%= user.lastname %></td>
+	<td class="lastname"><%= h(user.lastname) %></td>
-	<td class="email"><%= user.mail %></td>
+	<td class="email"><%= h(user.mail) %></td>
 	<td align="center"><%= image_tag('true.png') if user.admin? %></td>
 	<td class="created_on" align="center"><%= format_time(user.created_on) %></td>
 	<td class="last_login_on" align="center"><%= format_time(user.last_login_on) unless user.last_login_on.nil? %></td>
--- a/app/views/welcome/index.rhtml
+++ b/app/views/welcome/index.rhtml
@ -18,7 +18,7 @@
 		<ul>
 		<% for project in @projects %>
 			<li>
-			<%= link_to project.name, :controller => 'projects', :action => 'show', :id => project %> (<%= format_time(project.created_on) %>)
+			<%= link_to h(project.name), :controller => 'projects', :action => 'show', :id => project %> (<%= format_time(project.created_on) %>)
 			<%= textilizable project.short_description, :project => project %>
 			</li>
 		<% end %>