kolan/obsolete.ChilliProject
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[#163] Add extra escape in mail_to's javascript. Rails CVE-2011-0446

Browse Source
This commit is contained in:
Eric Davis 2011-02-26 12:51:22 -08:00
parent 2b6a982801
commit 151b4cd404
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/views/users/show.rhtml
View File

@ -7,7 +7,7 @@
<div class="splitcontentleft"> <div class="splitcontentleft">
<ul> <ul>
<% unless @user.pref.hide_mail %> <% unless @user.pref.hide_mail %>
<li><%=l(:field_mail)%>: <%= mail_to(h(@user.mail), nil, :encode => 'javascript') %></li> <li><%=l(:field_mail)%>: <%= mail_to(h(escape_javascript(@user.mail)), nil, :encode => 'javascript') %></li>
<% end %> <% end %>
<% @user.visible_custom_field_values.each do |custom_value| %> <% @user.visible_custom_field_values.each do |custom_value| %>
<% if !custom_value.value.blank? %> <% if !custom_value.value.blank? %>