[#163] Add extra escape in mail_to's javascript. Rails CVE-2011-0446

2011-02-26 12:51:22 -08:00 · 2011-02-26 12:51:22 -08:00 · 151b4cd404
parent 2b6a982801
commit 151b4cd404
1 changed files with 1 additions and 1 deletions
--- a/app/views/users/show.rhtml
+++ b/app/views/users/show.rhtml
@ -7,7 +7,7 @@
 <div class="splitcontentleft">
 <ul>
 	<% unless @user.pref.hide_mail %>
-		<li><%=l(:field_mail)%>: <%= mail_to(h(@user.mail), nil, :encode => 'javascript') %></li>
+		<li><%=l(:field_mail)%>: <%= mail_to(h(escape_javascript(@user.mail)), nil, :encode => 'javascript') %></li>
 	<% end %>
 	<% @user.visible_custom_field_values.each do |custom_value| %>
 	<% if !custom_value.value.blank? %>