Additional escaping.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@6327 e93f8b46-1217-0410-a6f0-8f06a7374b81
2011-07-30 08:35:43 +00:00 · 2011-07-30 08:35:43 +00:00 · c3be706ce5
commit c3be706ce5
parent 1278589018
13 changed files with 19 additions and 19 deletions
--- a/app/helpers/custom_fields_helper.rb
+++ b/app/helpers/custom_fields_helper.rb
@ -57,7 +57,7 @@ module CustomFieldsHelper
  # Return custom field label tag
  def custom_field_label_tag(name, custom_value)
-    content_tag "label", custom_value.custom_field.name +
+    content_tag "label", h(custom_value.custom_field.name) +
 	(custom_value.custom_field.is_required? ? " <span class=\"required\">*</span>" : ""),
 	:for => "#{name}_custom_field_values_#{custom_value.custom_field.id}",
 	:class => (custom_value.errors.empty? ? nil : "error" )
--- a/app/helpers/queries_helper.rb
+++ b/app/helpers/queries_helper.rb
@ -24,7 +24,7 @@ module QueriesHelper
  def column_header(column)
    column.sortable ? sort_header_tag(column.name.to_s, :caption => column.caption,
                                                        :default_order => column.default_order) : 
-                      content_tag('th', column.caption)
+                      content_tag('th', h(column.caption))
  end
  def column_content(column, issue)
--- a/app/helpers/sort_helper.rb
+++ b/app/helpers/sort_helper.rb
@ -205,7 +205,7 @@ module SortHelper
     # Add project_id to url_options
    url_options = url_options.merge(:project_id => params[:project_id]) if params.has_key?(:project_id)
-    link_to_content_update(caption, url_options, :class => css)
+    link_to_content_update(h(caption), url_options, :class => css)
  end
  # Returns a table header <th> tag with a sort link for the named column
--- a/app/views/context_menus/issues.html.erb
+++ b/app/views/context_menus/issues.html.erb
@ -14,7 +14,7 @@
 		<a href="#" class="submenu" onclick="return false;"><%= l(:field_status) %></a>
 		<ul>
 		<% @statuses.each do |s| -%>
-		    <li><%= context_menu_link s.name, {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {:status_id => s}, :back_url => @back}, :method => :post,
+		    <li><%= context_menu_link h(s.name), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {:status_id => s}, :back_url => @back}, :method => :post,
 		                              :selected => (@issue && s == @issue.status), :disabled => !(@can[:update] && @allowed_statuses.include?(s)) %></li>
 		<% end -%>
 		</ul>
@ -26,7 +26,7 @@
 		<a href="#" class="submenu"><%= l(:field_tracker) %></a>
 		<ul>
 		<% @trackers.each do |t| -%>
-		    <li><%= context_menu_link t.name, {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'tracker_id' => t}, :back_url => @back}, :method => :post,
+		    <li><%= context_menu_link h(t.name), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'tracker_id' => t}, :back_url => @back}, :method => :post,
 		                              :selected => (@issue && t == @issue.tracker), :disabled => !@can[:edit] %></li>
 		<% end -%>
 		</ul>
@ -37,7 +37,7 @@
 		<a href="#" class="submenu"><%= l(:field_priority) %></a>
 		<ul>
 		<% @priorities.each do |p| -%>
-		    <li><%= context_menu_link p.name, {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'priority_id' => p}, :back_url => @back}, :method => :post,
+		    <li><%= context_menu_link h(p.name), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'priority_id' => p}, :back_url => @back}, :method => :post,
 		                              :selected => (@issue && p == @issue.priority), :disabled => (!@can[:edit] || @issues.detect {|i| !i.leaf?}) %></li>
 		<% end -%>
 		</ul>
@ -62,7 +62,7 @@
 		<a href="#" class="submenu"><%= l(:field_assigned_to) %></a>
 		<ul>
 		<% @assignables.each do |u| -%>
-		    <li><%= context_menu_link u.name, {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'assigned_to_id' => u}, :back_url => @back}, :method => :post,
+		    <li><%= context_menu_link h(u.name), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'assigned_to_id' => u}, :back_url => @back}, :method => :post,
 		                              :selected => (@issue && u == @issue.assigned_to), :disabled => !@can[:update] %></li>
 		<% end -%>
 		    <li><%= context_menu_link l(:label_nobody), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'assigned_to_id' => 'none'}, :back_url => @back}, :method => :post,
@ -75,7 +75,7 @@
 		<a href="#" class="submenu"><%= l(:field_category) %></a>
 		<ul>
 		<% @project.issue_categories.each do |u| -%>
-		    <li><%= context_menu_link u.name, {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'category_id' => u}, :back_url => @back}, :method => :post,
+		    <li><%= context_menu_link h(u.name), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'category_id' => u}, :back_url => @back}, :method => :post,
 		                              :selected => (@issue && u == @issue.category), :disabled => !@can[:update] %></li>
 		<% end -%>
 		    <li><%= context_menu_link l(:label_none), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'category_id' => 'none'}, :back_url => @back}, :method => :post,
--- a/app/views/custom_fields/_form.rhtml
+++ b/app/views/custom_fields/_form.rhtml
@ -82,7 +82,7 @@ when "IssueCustomField" %>
    <fieldset><legend><%=l(:label_tracker_plural)%></legend>
    <% for tracker in @trackers %>
-        <%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%= tracker.name %>
+        <%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%=h tracker.name %>
    <% end %>
 		<%= hidden_field_tag "custom_field[tracker_ids][]", '' %>
    </fieldset>
--- a/app/views/custom_fields/_index.rhtml
+++ b/app/views/custom_fields/_index.rhtml
@ -13,7 +13,7 @@
  <tbody>
 	<% (@custom_fields_by_type[tab[:name]] || []).sort.each do |custom_field| -%>
 		<tr class="<%= cycle("odd", "even") %>">
-			<td><%= link_to custom_field.name, :action => 'edit', :id => custom_field %></td>
+			<td><%= link_to h(custom_field.name), :action => 'edit', :id => custom_field %></td>
 			<td align="center"><%= l(Redmine::CustomFieldFormat.label_for(custom_field.field_format)) %></td>
 			<td align="center"><%= checked_image custom_field.is_required? %></td>
 			<% if tab[:name] == 'IssueCustomField' %>
--- a/app/views/issue_statuses/index.html.erb
+++ b/app/views/issue_statuses/index.html.erb
@ -19,7 +19,7 @@
  <tbody>  
 <% for status in @issue_statuses %>
  <tr class="<%= cycle("odd", "even") %>">
-  <td><%= link_to status.name, :action => 'edit', :id => status %></td>
+  <td><%= link_to h(status.name), :action => 'edit', :id => status %></td>
  <% if Issue.use_status_for_done_ratio? %>
  <td align="center"><%= h status.default_done_ratio %></td>
  <% end %>
--- a/app/views/issues/_relations.rhtml
+++ b/app/views/issues/_relations.rhtml
@ -16,7 +16,7 @@
    <%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %>
    <%= link_to_issue(relation.other_issue(@issue), :truncate => 60) %>
 </td>
-<td class="status"><%= relation.other_issue(@issue).status.name %></td>
+<td class="status"><%=h relation.other_issue(@issue).status.name %></td>
 <td class="start_date"><%= format_date(relation.other_issue(@issue).start_date) %></td>
 <td class="due_date"><%= format_date(relation.other_issue(@issue).due_date) %></td>
 <td class="buttons"><%= link_to_remote(image_tag('link_break.png'), { :url => {:controller => 'issue_relations', :action => 'destroy', :id => relation},                                              
--- a/app/views/projects/_form.rhtml
+++ b/app/views/projects/_form.rhtml
@ -42,7 +42,7 @@
 <% @trackers.each do |tracker| %>
    <label class="floating">
    <%= check_box_tag 'project[tracker_ids][]', tracker.id, @project.trackers.include?(tracker) %>
-    <%= tracker %>
+    <%=h tracker %>
    </label>
 <% end %>
 <%= hidden_field_tag 'project[tracker_ids][]', '' %>
@ -54,7 +54,7 @@
 <% @issue_custom_fields.each do |custom_field| %>
    <label class="floating">
 	<%= check_box_tag 'project[issue_custom_field_ids][]', custom_field.id, (@project.all_issue_custom_fields.include? custom_field), (custom_field.is_for_all? ? {:disabled => "disabled"} : {}) %>
-	<%= custom_field.name %>
+	<%=h custom_field.name %>
 	</label>
 <% end %>
 <%= hidden_field_tag 'project[issue_custom_field_ids][]', '' %>
--- a/app/views/reports/_details.rhtml
+++ b/app/views/reports/_details.rhtml
@ -6,7 +6,7 @@
 <thead><tr>
 <th style="width:25%"></th>
 <% for status in @statuses %>
-<th style="width:<%= col_width %>%"><%= status.name %></th>
+<th style="width:<%= col_width %>%"><%=h status.name %></th>
 <% end %>
 <th align="center" style="width:<%= col_width %>%"><strong><%=l(:label_open_issues_plural)%></strong></th>
 <th align="center" style="width:<%= col_width %>%"><strong><%=l(:label_closed_issues_plural)%></strong></th>
@ -15,7 +15,7 @@
 <tbody>
 <% for row in rows %>
 <tr class="<%= cycle("odd", "even") %>">
-  <td><%= link_to row.name, :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), 
+  <td><%= link_to h(row.name), :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), 
                                                :set_filter => 1, 
                                                :subproject_id => '!*',
                                                "#{field_name}" => row.id %></td>
--- a/app/views/reports/_simple.rhtml
+++ b/app/views/reports/_simple.rhtml
@ -11,7 +11,7 @@
 <tbody>
 <% for row in rows %>
 <tr class="<%= cycle("odd", "even") %>">
-  <td><%= link_to row.name, :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), 
+  <td><%= link_to h(row.name), :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), 
                                                :set_filter => 1, 
                                                :subproject_id => '!*',
                                                "#{field_name}" => row.id %></td>
--- a/app/views/roles/index.html.erb
+++ b/app/views/roles/index.html.erb
@ -13,7 +13,7 @@
  <tbody>
 <% for role in @roles %>
  <tr class="<%= cycle("odd", "even") %>">
-  <td><%= content_tag(role.builtin? ? 'em' : 'span', link_to(role.name, :action => 'edit', :id => role)) %></td>
+  <td><%= content_tag(role.builtin? ? 'em' : 'span', link_to(h(role.name), :action => 'edit', :id => role)) %></td>
  <td align="center" style="width:15%;">
  <% unless role.builtin? %>
    <%= reorder_links('role', {:action => 'edit', :id => role}) %>
--- a/app/views/trackers/index.html.erb
+++ b/app/views/trackers/index.html.erb
@ -14,7 +14,7 @@
  <tbody>
 <% for tracker in @trackers %>
  <tr class="<%= cycle("odd", "even") %>">
-  <td><%= link_to tracker.name, :action => 'edit', :id => tracker %></td>
+  <td><%= link_to h(tracker.name), :action => 'edit', :id => tracker %></td>
  <td align="center"><% unless tracker.workflows.count > 0 %><span class="icon icon-warning"><%= l(:text_tracker_no_workflow) %> (<%= link_to l(:button_edit), {:controller => 'workflows', :action => 'edit', :tracker_id => tracker} %>)</span><% end %></td>
  <td align="center" style="width:15%;"><%= reorder_links('tracker', {:action => 'edit', :id => tracker}) %></td>
  <td class="buttons">