diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 10dcb3b8..542d3086 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -107,7 +107,7 @@ module ApplicationHelper text = options.delete(:text) || format_revision(revision) rev = revision.respond_to?(:identifier) ? revision.identifier : revision - link_to(text, {:controller => 'repositories', :action => 'revision', :id => project, :rev => rev}, + link_to(h(text), {:controller => 'repositories', :action => 'revision', :id => project, :rev => rev}, :title => l(:label_revision_id, format_revision(revision))) end @@ -410,7 +410,7 @@ module ApplicationHelper def html_title(*args) if args.empty? title = [] - title << @project.name if @project + title << h(@project.name) if @project title += @html_title if @html_title title << Setting.app_title title.select {|t| !t.blank? }.join(' - ') @@ -561,7 +561,7 @@ module ApplicationHelper wiki_page_id = page.present? ? Wiki.titleize(page) : nil url_for(:only_path => only_path, :controller => 'wiki', :action => 'show', :project_id => link_project, :id => wiki_page_id, :anchor => anchor) end - link_to((title || page), url, :class => ('wiki-page' + (wiki_page ? '' : ' new'))) + link_to(h(title || page), url, :class => ('wiki-page' + (wiki_page ? '' : ' new'))) else # project or wiki doesn't exist all @@ -615,7 +615,7 @@ module ApplicationHelper if prefix.nil? && sep == 'r' # project.changesets.visible raises an SQL error because of a double join on repositories if project && project.repository && (changeset = Changeset.visible.find_by_repository_id_and_revision(project.repository.id, identifier)) - link = link_to("#{project_prefix}r#{identifier}", {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.revision}, + link = link_to(h("#{project_prefix}r#{identifier}"), {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.revision}, :class => 'changeset', :title => truncate_single_line(changeset.comments, :length => 100)) end @@ -665,7 +665,7 @@ module ApplicationHelper if project && project.repository && (changeset = Changeset.visible.find(:first, :conditions => ["repository_id = ? AND scmid LIKE ?", project.repository.id, "#{name}%"])) link = link_to h("#{project_prefix}#{name}"), {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.identifier}, :class => 'changeset', - :title => truncate_single_line(changeset.comments, :length => 100) + :title => truncate_single_line(h(changeset.comments), :length => 100) end when 'source', 'export' if project && project.repository && User.current.allowed_to?(:browse_repository, project) @@ -831,7 +831,7 @@ module ApplicationHelper options[:class] << ' disabled' url = '#' end - link_to name, url, options + link_to h(name), url, options end def calendar_for(field_id) diff --git a/app/helpers/calendars_helper.rb b/app/helpers/calendars_helper.rb index b2de58f7..b8f5fcb3 100644 --- a/app/helpers/calendars_helper.rb +++ b/app/helpers/calendars_helper.rb @@ -45,6 +45,6 @@ module CalendarsHelper end def link_to_month(link_name, year, month, options={}) - link_to_content_update(link_name, params.merge(:year => year, :month => month)) + link_to_content_update(h(link_name), params.merge(:year => year, :month => month)) end end diff --git a/app/helpers/custom_fields_helper.rb b/app/helpers/custom_fields_helper.rb index 6fb59ee4..ba3328bb 100644 --- a/app/helpers/custom_fields_helper.rb +++ b/app/helpers/custom_fields_helper.rb @@ -53,7 +53,7 @@ module CustomFieldsHelper # Return custom field label tag def custom_field_label_tag(name, custom_value) - content_tag "label", custom_value.custom_field.name + + content_tag "label", h(custom_value.custom_field.name) + (custom_value.custom_field.is_required? ? " *" : ""), :for => "#{name}_custom_field_values_#{custom_value.custom_field.id}", :class => (custom_value.errors.empty? ? nil : "error" ) diff --git a/app/helpers/issues_helper.rb b/app/helpers/issues_helper.rb index 84b5a63b..4063d763 100644 --- a/app/helpers/issues_helper.rb +++ b/app/helpers/issues_helper.rb @@ -44,11 +44,11 @@ module IssuesHelper link_to_issue(issue) + "

" + "#{@cached_label_project}: #{link_to_project(issue.project)}
" + - "#{@cached_label_status}: #{issue.status.name}
" + + "#{@cached_label_status}: #{h(issue.status.name)}
" + "#{@cached_label_start_date}: #{format_date(issue.start_date)}
" + "#{@cached_label_due_date}: #{format_date(issue.due_date)}
" + - "#{@cached_label_assigned_to}: #{issue.assigned_to}
" + - "#{@cached_label_priority}: #{issue.priority.name}" + "#{@cached_label_assigned_to}: #{h(issue.assigned_to)}
" + + "#{@cached_label_priority}: #{h(issue.priority.name)}" end def render_issue_subject_with_tree(issue) @@ -114,7 +114,7 @@ module IssuesHelper # links to #index on issues/show url_params = controller_name == 'issues' ? {:controller => 'issues', :action => 'index', :project_id => @project} : params - content_tag('h3', title) + + content_tag('h3', h(title)) + queries.collect {|query| link_to(h(query.name), url_params.merge(:query_id => query)) }.join('
') diff --git a/app/helpers/queries_helper.rb b/app/helpers/queries_helper.rb index b4fd07c3..d468be9a 100644 --- a/app/helpers/queries_helper.rb +++ b/app/helpers/queries_helper.rb @@ -20,7 +20,7 @@ module QueriesHelper def column_header(column) column.sortable ? sort_header_tag(column.name.to_s, :caption => column.caption, :default_order => column.default_order) : - content_tag('th', column.caption) + content_tag('th', h(column.caption)) end def column_content(column, issue) @@ -41,7 +41,7 @@ module QueriesHelper if column.name == :done_ratio progress_bar(value, :width => '80px') else - value.to_s + h(value.to_s) end when 'User' link_to_user value diff --git a/app/helpers/reports_helper.rb b/app/helpers/reports_helper.rb index 6b965fb4..adf66589 100644 --- a/app/helpers/reports_helper.rb +++ b/app/helpers/reports_helper.rb @@ -27,6 +27,6 @@ module ReportsHelper def aggregate_link(data, criteria, *args) a = aggregate data, criteria - a > 0 ? link_to(a, *args) : '-' + a > 0 ? link_to(h(a), *args) : '-' end end diff --git a/app/helpers/repositories_helper.rb b/app/helpers/repositories_helper.rb index b81778b0..556da589 100644 --- a/app/helpers/repositories_helper.rb +++ b/app/helpers/repositories_helper.rb @@ -83,7 +83,7 @@ module RepositoriesHelper if s = tree[file][:s] style << ' folder' path_param = to_path_param(@repository.relative_path(file)) - text = link_to(text, :controller => 'repositories', + text = link_to(h(text), :controller => 'repositories', :action => 'show', :id => @project, :path => path_param, @@ -93,18 +93,18 @@ module RepositoriesHelper elsif c = tree[file][:c] style << " change-#{c.action}" path_param = to_path_param(@repository.relative_path(c.path)) - text = link_to(text, :controller => 'repositories', + text = link_to(h(text), :controller => 'repositories', :action => 'entry', :id => @project, :path => path_param, :rev => @changeset.identifier) unless c.action == 'D' - text << " - #{c.revision}" unless c.revision.blank? + text << " - #{h(c.revision)}" unless c.revision.blank? text << ' (' + link_to('diff', :controller => 'repositories', :action => 'diff', :id => @project, :path => path_param, :rev => @changeset.identifier) + ') ' if c.action == 'M' - text << ' ' + content_tag('span', c.from_path, :class => 'copied-from') unless c.from_path.blank? + text << ' ' + content_tag('span', h(c.from_path), :class => 'copied-from') unless c.from_path.blank? output << "
  • #{text}
    • " end end diff --git a/app/helpers/search_helper.rb b/app/helpers/search_helper.rb index 98fc27fa..6bc9b1d4 100644 --- a/app/helpers/search_helper.rb +++ b/app/helpers/search_helper.rb @@ -53,7 +53,7 @@ module SearchHelper c = results_by_type[t] next if c == 0 text = "#{type_label(t)} (#{c})" - links << link_to(text, :q => params[:q], :titles_only => params[:title_only], :all_words => params[:all_words], :scope => params[:scope], t => 1) + links << link_to(h(text), :q => params[:q], :titles_only => params[:title_only], :all_words => params[:all_words], :scope => params[:scope], t => 1) end ('') unless links.empty? end diff --git a/app/helpers/sort_helper.rb b/app/helpers/sort_helper.rb index daea424b..4ba2d5d3 100644 --- a/app/helpers/sort_helper.rb +++ b/app/helpers/sort_helper.rb @@ -218,7 +218,7 @@ module SortHelper # Add project_id to url_options url_options = url_options.merge(:project_id => params[:project_id]) if params.has_key?(:project_id) - link_to_content_update(caption, url_options, :class => css) + link_to_content_update(h(caption), url_options, :class => css) end # Returns a table header tag with a sort link for the named column diff --git a/app/helpers/timelog_helper.rb b/app/helpers/timelog_helper.rb index 9e5336b5..af46e6bb 100644 --- a/app/helpers/timelog_helper.rb +++ b/app/helpers/timelog_helper.rb @@ -125,7 +125,7 @@ module TimelogHelper elsif k = @available_criterias[criteria][:klass] obj = k.find_by_id(value.to_i) if obj.is_a?(Issue) - obj.visible? ? "#{obj.tracker} ##{obj.id}: #{obj.subject}" : "##{obj.id}" + obj.visible? ? h("#{obj.tracker} ##{obj.id}: #{obj.subject}") : h("##{obj.id}") else obj end diff --git a/app/views/activities/index.html.erb b/app/views/activities/index.html.erb index cb957991..af604a66 100644 --- a/app/views/activities/index.html.erb +++ b/app/views/activities/index.html.erb @@ -12,7 +12,7 @@ <%= content_tag('span', h(e.project), :class => 'project') if @project.nil? || @project != e.project %> <%= link_to format_activity_title(e.event_title), e.event_url %>
    <%= format_activity_description(e.event_description) %> - <%= e.event_author if e.respond_to?(:event_author) %>
    + <%= link_to_user(e.event_author) if e.respond_to?(:event_author) %> <% end -%> <% end -%> diff --git a/app/views/attachments/_links.rhtml b/app/views/attachments/_links.rhtml index 19ab6734..4f4e2d18 100644 --- a/app/views/attachments/_links.rhtml +++ b/app/views/attachments/_links.rhtml @@ -11,7 +11,7 @@ :title => l(:button_delete) %> <% end %> <% if options[:author] %> - <%= attachment.author %>, <%= format_time(attachment.created_on) %> + <%= h(attachment.author) %>, <%= format_time(attachment.created_on) %> <% end %>

    <% end %> diff --git a/app/views/attachments/diff.rhtml b/app/views/attachments/diff.rhtml index 36db0af5..36e47217 100644 --- a/app/views/attachments/diff.rhtml +++ b/app/views/attachments/diff.rhtml @@ -2,7 +2,7 @@

    <%= h("#{@attachment.description} - ") unless @attachment.description.blank? %> - <%= @attachment.author %>, <%= format_time(@attachment.created_on) %>

    + <%= link_to_user(@attachment.author) %>, <%= format_time(@attachment.created_on) %>

    <%= link_to_attachment @attachment, :text => l(:button_download), :download => true -%> (<%= number_to_human_size @attachment.filesize %>)

    @@ -10,7 +10,7 @@   <%= render :partial => 'common/diff', :locals => {:diff => @diff, :diff_type => @diff_type} %> -<% html_title @attachment.filename %> +<% html_title h(@attachment.filename) %> <% content_for :header_tags do -%> <%= stylesheet_link_tag "scm" -%> diff --git a/app/views/attachments/file.rhtml b/app/views/attachments/file.rhtml index c7e7a757..fde551f8 100644 --- a/app/views/attachments/file.rhtml +++ b/app/views/attachments/file.rhtml @@ -2,7 +2,7 @@

    <%= h("#{@attachment.description} - ") unless @attachment.description.blank? %> - <%= @attachment.author %>, <%= format_time(@attachment.created_on) %>

    + <%= link_to_user(@attachment.author) %>, <%= format_time(@attachment.created_on) %>

    <%= link_to_attachment @attachment, :text => l(:button_download), :download => true -%> (<%= number_to_human_size @attachment.filesize %>)

    @@ -10,7 +10,7 @@   <%= render :partial => 'common/file', :locals => {:content => @content, :filename => @attachment.filename} %> -<% html_title @attachment.filename %> +<% html_title h(@attachment.filename) %> <% content_for :header_tags do -%> <%= stylesheet_link_tag "scm" -%> diff --git a/app/views/auth_sources/edit.rhtml b/app/views/auth_sources/edit.rhtml index 165fd4f3..e2c99aa3 100644 --- a/app/views/auth_sources/edit.rhtml +++ b/app/views/auth_sources/edit.rhtml @@ -1,4 +1,4 @@ -

    <%=l(:label_auth_source)%> (<%= @auth_source.auth_method_name %>)

    +

    <%=l(:label_auth_source)%> (<%= h(@auth_source.auth_method_name) %>)

    <% form_tag({:action => 'update', :id => @auth_source}, :class => "tabular") do %> <%= render :partial => 'form' %> diff --git a/app/views/auth_sources/new.rhtml b/app/views/auth_sources/new.rhtml index 2d493dc3..d0b9b1d4 100644 --- a/app/views/auth_sources/new.rhtml +++ b/app/views/auth_sources/new.rhtml @@ -1,4 +1,4 @@ -

    <%=l(:label_auth_source_new)%> (<%= @auth_source.auth_method_name %>)

    +

    <%=l(:label_auth_source_new)%> (<%= h(@auth_source.auth_method_name) %>)

    <% form_tag({:action => 'create'}, :class => "tabular") do %> <%= render :partial => 'form' %> diff --git a/app/views/boards/show.rhtml b/app/views/boards/show.rhtml index 54c02c81..eb33d880 100644 --- a/app/views/boards/show.rhtml +++ b/app/views/boards/show.rhtml @@ -43,7 +43,7 @@ <% @topics.each do |topic| %> <%= link_to h(topic.subject), { :controller => 'messages', :action => 'show', :board_id => @board, :id => topic } %> - <%= topic.author %> + <%= link_to_user(topic.author) %> <%= format_time(topic.created_on) %> <%= topic.replies_count %> diff --git a/app/views/common/_diff.rhtml b/app/views/common/_diff.rhtml index b4327aec..273479f2 100644 --- a/app/views/common/_diff.rhtml +++ b/app/views/common/_diff.rhtml @@ -5,7 +5,7 @@ <% if diff.diff_type == 'sbs' -%> - + <% table_file.each_line do |spacing, line| -%> @@ -31,7 +31,7 @@ <% else -%>
    <%=to_utf8_for_attachments table_file.file_name %>
    <%= h(to_utf8_for_attachments(table_file.file_name)) %>
    - + <% table_file.each_line do |spacing, line| %> diff --git a/app/views/common/error.html.erb b/app/views/common/error.html.erb index 0367b47b..cbded214 100644 --- a/app/views/common/error.html.erb +++ b/app/views/common/error.html.erb @@ -3,4 +3,4 @@

    <%=h @message %>

    Back

    -<% html_title @status %> +<% html_title h(@status) %> diff --git a/app/views/custom_fields/_form.rhtml b/app/views/custom_fields/_form.rhtml index ec265aca..dcaecead 100644 --- a/app/views/custom_fields/_form.rhtml +++ b/app/views/custom_fields/_form.rhtml @@ -82,7 +82,7 @@ when "IssueCustomField" %>
    <%=l(:label_tracker_plural)%> <% for tracker in @trackers %> - <%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%= tracker.name %> + <%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%= h(tracker.name) %> <% end %> <%= hidden_field_tag "custom_field[tracker_ids][]", '' %>
    diff --git a/app/views/custom_fields/_index.rhtml b/app/views/custom_fields/_index.rhtml index 21ae01be..a6495fbf 100644 --- a/app/views/custom_fields/_index.rhtml +++ b/app/views/custom_fields/_index.rhtml @@ -13,7 +13,7 @@ <% (@custom_fields_by_type[tab[:name]] || []).sort.each do |custom_field| -%> "> - + <% if tab[:name] == 'IssueCustomField' %> diff --git a/app/views/documents/show.rhtml b/app/views/documents/show.rhtml index 75854357..922fe36b 100644 --- a/app/views/documents/show.rhtml +++ b/app/views/documents/show.rhtml @@ -25,7 +25,7 @@ <% end %> <% end %> -<% html_title @document.title -%> +<% html_title h(@document.title) -%> <% content_for :header_tags do %> <%= stylesheet_link_tag 'scm' %> diff --git a/app/views/gantts/show.html.erb b/app/views/gantts/show.html.erb index 0c024528..bfe1dc59 100644 --- a/app/views/gantts/show.html.erb +++ b/app/views/gantts/show.html.erb @@ -101,7 +101,7 @@ height = (show_weeks ? header_heigth : header_heigth + g_height) width = ((month_f >> 1) - month_f) * zoom - 1 %>
    - <%= link_to "#{month_f.year}-#{month_f.month}", @gantt.params.merge(:year => month_f.year, :month => month_f.month), :title => "#{month_name(month_f.month)} #{month_f.year}"%> + <%= link_to h("#{month_f.year}-#{month_f.month}"), @gantt.params.merge(:year => month_f.year, :month => month_f.month), :title => "#{month_name(month_f.month)} #{month_f.year}"%>
    <% left = left + width + 1 diff --git a/app/views/issue_statuses/index.html.erb b/app/views/issue_statuses/index.html.erb index 5bc139d8..0d3c1503 100644 --- a/app/views/issue_statuses/index.html.erb +++ b/app/views/issue_statuses/index.html.erb @@ -19,7 +19,7 @@ <% for status in @issue_statuses %> "> - + <% if Issue.use_status_for_done_ratio? %> <% end %> diff --git a/app/views/issues/_attributes.rhtml b/app/views/issues/_attributes.rhtml index 7f5151df..499537ef 100644 --- a/app/views/issues/_attributes.rhtml +++ b/app/views/issues/_attributes.rhtml @@ -4,7 +4,7 @@ <% if @issue.new_record? || @allowed_statuses.any? %>

    <%= f.select :status_id, (@allowed_statuses.collect {|p| [p.name, p.id]}), :required => true %>

    <% else %> -

    <%= @issue.status.name %>

    +

    <%= h(@issue.status.name) %>

    <% end %>

    <%= f.select :priority_id, (@priorities.collect {|p| [p.name, p.id]}), {:required => true}, :disabled => !@issue.leaf? %>

    diff --git a/app/views/issues/_list_simple.rhtml b/app/views/issues/_list_simple.rhtml index 22e61478..09a5097e 100644 --- a/app/views/issues/_list_simple.rhtml +++ b/app/views/issues/_list_simple.rhtml @@ -9,10 +9,10 @@ <% for issue in issues %> - + diff --git a/app/views/issues/_relations.rhtml b/app/views/issues/_relations.rhtml index e7672dca..3dab155f 100644 --- a/app/views/issues/_relations.rhtml +++ b/app/views/issues/_relations.rhtml @@ -14,7 +14,7 @@ <%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %> <%= link_to_issue(relation.other_issue(@issue), :truncate => 60) %> - + <% for status in @statuses %> - + <% end %> @@ -15,7 +15,7 @@ <% for row in rows %> "> - @@ -50,4 +50,4 @@
    <%=to_utf8_for_attachments table_file.file_name %>
    <%= h(to_utf8_for_attachments(table_file.file_name)) %>
    <%= link_to custom_field.name, :action => 'edit', :id => custom_field %><%= link_to h(custom_field.name), :action => 'edit', :id => custom_field %> <%= l(Redmine::CustomFieldFormat.label_for(custom_field.field_format)) %> <%= checked_image custom_field.is_required? %>
    <%= link_to status.name, :action => 'edit', :id => status %><%= link_to h(status.name), :action => 'edit', :id => status %><%= h status.default_done_ratio %>
    <%= check_box_tag("ids[]", issue.id, false, :style => 'display:none;') %> - <%= link_to issue.id, :controller => 'issues', :action => 'show', :id => issue %> + <%= link_to(h(issue.id), :controller => 'issues', :action => 'show', :id => issue) %> <%= link_to_project(issue.project) %> <%=h issue.tracker %><%= relation.other_issue(@issue).status.name %><%= h(relation.other_issue(@issue).status.name) %> <%= format_date(relation.other_issue(@issue).start_date) %> <%= format_date(relation.other_issue(@issue).due_date) %> <%= link_to_remote(image_tag('delete.png'), { :url => {:controller => 'issue_relations', :action => 'destroy', :issue_id => @issue, :id => relation}, diff --git a/app/views/issues/index.rhtml b/app/views/issues/index.rhtml index 3a5c41c5..18df5a6b 100644 --- a/app/views/issues/index.rhtml +++ b/app/views/issues/index.rhtml @@ -6,7 +6,7 @@

    <%= @query.new_record? ? l(:label_issue_plural) : h(@query.name) %>

    -<% html_title(@query.new_record? ? l(:label_issue_plural) : @query.name) %> +<% html_title(@query.new_record? ? l(:label_issue_plural) : h(@query.name)) %> <% form_tag({ :controller => 'queries', :action => 'new' }, :id => 'query_form') do %> <%= hidden_field_tag('project_id', @project.to_param) if @project %> diff --git a/app/views/issues/show.rhtml b/app/views/issues/show.rhtml index 8a3b69a3..eddc7da0 100644 --- a/app/views/issues/show.rhtml +++ b/app/views/issues/show.rhtml @@ -113,7 +113,7 @@ <%= f.link_to 'PDF' %> <% end %> -<% html_title "#{@issue.tracker.name} ##{@issue.id}: #{@issue.subject}" %> +<% html_title h("#{@issue.tracker.name} ##{@issue.id}: #{@issue.subject}") %> <% content_for :sidebar do %> <%= render :partial => 'issues/sidebar' %> diff --git a/app/views/mailer/account_activated.text.html.rhtml b/app/views/mailer/account_activated.text.html.rhtml index 6dc95223..cb8d8caa 100644 --- a/app/views/mailer/account_activated.text.html.rhtml +++ b/app/views/mailer/account_activated.text.html.rhtml @@ -1,2 +1,2 @@

    <%= l(:notice_account_activated) %>

    -

    <%= l(:label_login) %>: <%= link_to @login_url, @login_url %>

    +

    <%= l(:label_login) %>: <%= link_to h(@login_url), @login_url %>

    diff --git a/app/views/mailer/account_activation_request.text.html.rhtml b/app/views/mailer/account_activation_request.text.html.rhtml index b19cf321..4450631b 100644 --- a/app/views/mailer/account_activation_request.text.html.rhtml +++ b/app/views/mailer/account_activation_request.text.html.rhtml @@ -1,2 +1,2 @@

    <%= l(:mail_body_account_activation_request, h(@user.login)) %>

    -

    <%= link_to @url, @url %>

    +

    <%= link_to h(@url), @url %>

    diff --git a/app/views/mailer/attachments_added.text.html.rhtml b/app/views/mailer/attachments_added.text.html.rhtml index 369834b6..11d1cf54 100644 --- a/app/views/mailer/attachments_added.text.html.rhtml +++ b/app/views/mailer/attachments_added.text.html.rhtml @@ -1,4 +1,4 @@ -<%= link_to @added_to, @added_to_url %>
    +<%= link_to h(@added_to), @added_to_url %>
      <% @attachments.each do |attachment | %>
    • <%=h attachment.filename %>
      • diff --git a/app/views/mailer/reminder.text.html.rhtml b/app/views/mailer/reminder.text.html.rhtml index 62201e50..f011da3e 100644 --- a/app/views/mailer/reminder.text.html.rhtml +++ b/app/views/mailer/reminder.text.html.rhtml @@ -2,7 +2,7 @@
        <% @issues.each do |issue| -%> -
      • <%=h issue.project %> - <%=link_to("#{issue.tracker} ##{issue.id}", :controller => 'issues', :action => 'show', :id => issue, :only_path => false)%>: <%=h issue.subject %>
        • +
      • <%=h issue.project %> - <%=link_to(h("#{issue.tracker} ##{issue.id}"), :controller => 'issues', :action => 'show', :id => issue, :only_path => false)%>: <%=h issue.subject %>
        • <% end -%>
      diff --git a/app/views/mailer/wiki_content_updated.text.html.rhtml b/app/views/mailer/wiki_content_updated.text.html.rhtml index de173b96..d62d33e1 100644 --- a/app/views/mailer/wiki_content_updated.text.html.rhtml +++ b/app/views/mailer/wiki_content_updated.text.html.rhtml @@ -3,4 +3,4 @@ <%=h @wiki_content.comments %>

      <%= l(:label_view_diff) %>:
      -<%= link_to @wiki_diff_url, @wiki_diff_url %>

      +<%= link_to h(@wiki_diff_url), @wiki_diff_url %>

      diff --git a/app/views/news/show.rhtml b/app/views/news/show.rhtml index 7167a305..fd92e386 100644 --- a/app/views/news/show.rhtml +++ b/app/views/news/show.rhtml @@ -63,7 +63,7 @@ <% end %> <% end %> -<% html_title @news.title -%> +<% html_title h(@news.title) -%> <% content_for :header_tags do %> <%= stylesheet_link_tag 'scm' %> diff --git a/app/views/projects/_form.rhtml b/app/views/projects/_form.rhtml index 9772a899..43f9a1b9 100644 --- a/app/views/projects/_form.rhtml +++ b/app/views/projects/_form.rhtml @@ -42,7 +42,7 @@ <% @trackers.each do |tracker| %> <% end %> <%= hidden_field_tag 'project[tracker_ids][]', '' %> @@ -54,7 +54,7 @@ <% @issue_custom_fields.each do |custom_field| %> <% end %> <%= hidden_field_tag 'project[issue_custom_field_ids][]', '' %> diff --git a/app/views/projects/list_members.rhtml b/app/views/projects/list_members.rhtml index 7f2ae379..04de1604 100644 --- a/app/views/projects/list_members.rhtml +++ b/app/views/projects/list_members.rhtml @@ -4,7 +4,7 @@ <% members = @members.group_by {|m| m.role } %> <% members.keys.sort{|x,y| x.position <=> y.position}.each do |role| %> -

      <%= role.name %>

      +

      <%= h(role.name) %>

        <% members[role].each do |m| %>
      • <%= link_to_user m.user %> (<%= format_date m.created_on %>)
        • diff --git a/app/views/projects/show.rhtml b/app/views/projects/show.rhtml index 027d9377..b7036a56 100644 --- a/app/views/projects/show.rhtml +++ b/app/views/projects/show.rhtml @@ -18,7 +18,7 @@ <% end %> <% @project.visible_custom_field_values.each do |custom_value| %> <% if !custom_value.value.blank? %> -
      • <%= custom_value.custom_field.name%>: <%=h show_value(custom_value) %>
        • +
      • <%= h(custom_value.custom_field.name) %>: <%=h show_value(custom_value) %>
        • <% end %> <% end %>
      @@ -28,7 +28,7 @@

      <%=l(:label_issue_tracking)%>

        <% for tracker in @trackers %> -
      • <%= link_to tracker.name, :controller => 'issues', :action => 'index', :project_id => @project, +
      • <%= link_to h(tracker.name), :controller => 'issues', :action => 'index', :project_id => @project, :set_filter => 1, "tracker_id" => tracker.id %>: <%= l(:label_x_open_issues_abbr_on_total, :count => @open_issues_by_tracker[tracker].to_i, diff --git a/app/views/queries/index.rhtml b/app/views/queries/index.rhtml index 7f91399f..066f30ed 100644 --- a/app/views/queries/index.rhtml +++ b/app/views/queries/index.rhtml @@ -11,7 +11,7 @@ <% @queries.each do |query| %>
    - <%= link_to query.name, :controller => 'issues', :action => 'index', :project_id => @project, :query_id => query %> + <%= link_to h(query.name), :controller => 'issues', :action => 'index', :project_id => @project, :query_id => query %> diff --git a/app/views/reports/_details.rhtml b/app/views/reports/_details.rhtml index ac9f2b0c..352b06d3 100644 --- a/app/views/reports/_details.rhtml +++ b/app/views/reports/_details.rhtml @@ -6,7 +6,7 @@
    <%= status.name %><%= h(status.name) %><%=l(:label_open_issues_plural)%> <%=l(:label_closed_issues_plural)%>
    <%= link_to row.name, :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), + <%= link_to h(row.name), :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), :set_filter => 1, :subproject_id => '!*', "#{field_name}" => row.id %>
    <% end - reset_cycle %> \ No newline at end of file + reset_cycle %> diff --git a/app/views/reports/_simple.rhtml b/app/views/reports/_simple.rhtml index 0b097879..46f4a9fd 100644 --- a/app/views/reports/_simple.rhtml +++ b/app/views/reports/_simple.rhtml @@ -11,7 +11,7 @@ <% for row in rows %> "> - <%= link_to row.name, :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), + <%= link_to h(row.name), :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), :set_filter => 1, :subproject_id => '!*', "#{field_name}" => row.id %> @@ -38,4 +38,4 @@ <% end - reset_cycle %> \ No newline at end of file + reset_cycle %> diff --git a/app/views/repositories/_breadcrumbs.rhtml b/app/views/repositories/_breadcrumbs.rhtml index 0d548176..de3001e0 100644 --- a/app/views/repositories/_breadcrumbs.rhtml +++ b/app/views/repositories/_breadcrumbs.rhtml @@ -25,4 +25,4 @@ dirs.each do |dir| %> <%= "@ #{h rev_text}" unless rev_text.blank? %> -<% html_title(with_leading_slash(path)) -%> +<% html_title(h(with_leading_slash(path))) -%> diff --git a/app/views/repositories/_dir_list_content.rhtml b/app/views/repositories/_dir_list_content.rhtml index f6833c89..5207e3f7 100644 --- a/app/views/repositories/_dir_list_content.rhtml +++ b/app/views/repositories/_dir_list_content.rhtml @@ -3,7 +3,7 @@ depth = params[:depth].to_i %> <% ent_path = replace_invalid_utf8(entry.path) %> <% ent_name = replace_invalid_utf8(entry.name) %> - + <% if entry.is_dir? %> <%= link_to_revision(changeset, @project) if changeset %> <%= distance_of_time_in_words(entry.lastrev.time, Time.now) if entry.lastrev && entry.lastrev.time %> -<%= changeset.nil? ? h(replace_invalid_utf8(entry.lastrev.author.to_s.split('<').first)) : changeset.author if entry.lastrev %> +<%= changeset.nil? ? h(replace_invalid_utf8(entry.lastrev.author.to_s.split('<').first)) : h(changeset.author) if entry.lastrev %> <%=h truncate(Changeset.to_utf8(changeset.comments, changeset.repository.repo_log_encoding), :length => 50) unless changeset.nil? %> <% end %> diff --git a/app/views/repositories/diff.rhtml b/app/views/repositories/diff.rhtml index efb84a44..cb868665 100644 --- a/app/views/repositories/diff.rhtml +++ b/app/views/repositories/diff.rhtml @@ -16,7 +16,7 @@ <%= f.link_to 'Diff', :url => params, :caption => 'Unified diff' %> <% end %> -<% html_title(with_leading_slash(@path), 'Diff') -%> +<% html_title(h(with_leading_slash(@path)), 'Diff') -%> <% content_for :header_tags do %> <%= stylesheet_link_tag "scm" %> diff --git a/app/views/repositories/revision.rhtml b/app/views/repositories/revision.rhtml index 483e358d..ce90a254 100644 --- a/app/views/repositories/revision.rhtml +++ b/app/views/repositories/revision.rhtml @@ -21,7 +21,7 @@

    <%= l(:label_revision) %> <%= format_revision(@changeset) %>

    -

    <% if @changeset.scmid %>ID: <%= @changeset.scmid %>
    <% end %> +

    <% if @changeset.scmid %>ID: <%= h(@changeset.scmid) %>
    <% end %> <%= authoring(@changeset.committed_on, @changeset.author) %>

    <%= textilizable @changeset.comments %> diff --git a/app/views/roles/index.html.erb b/app/views/roles/index.html.erb index fb5ff5be..b8cea261 100644 --- a/app/views/roles/index.html.erb +++ b/app/views/roles/index.html.erb @@ -13,7 +13,7 @@ <% for role in @roles %> "> - <%= content_tag(role.builtin? ? 'em' : 'span', link_to(role.name, :action => 'edit', :id => role)) %> + <%= content_tag(role.builtin? ? 'em' : 'span', link_to(h(role.name), :action => 'edit', :id => role)) %> <% unless role.builtin? %> <%= reorder_links('role', {:action => 'edit', :id => role}) %> diff --git a/app/views/search/index.rhtml b/app/views/search/index.rhtml index db9e3b64..02833a5d 100644 --- a/app/views/search/index.rhtml +++ b/app/views/search/index.rhtml @@ -31,9 +31,9 @@ <% @results.each do |e| %>
    <%= content_tag('span', h(e.project), :class => 'project') unless @project == e.project %> - <%= link_to highlight_tokens(truncate(e.event_title, :length => 255), @tokens), e.event_url %> + <%= link_to highlight_tokens(truncate(h(e.event_title), :length => 255), @tokens), e.event_url %>
    -
    <%= highlight_tokens(e.event_description, @tokens) %> +
    <%= highlight_tokens(h(e.event_description), @tokens) %> <%= format_time(e.event_datetime) %>
    <% end %> diff --git a/app/views/timelog/_list.rhtml b/app/views/timelog/_list.rhtml index 28f1f523..6b0f970b 100644 --- a/app/views/timelog/_list.rhtml +++ b/app/views/timelog/_list.rhtml @@ -15,9 +15,9 @@ <% entries.each do |entry| -%> "> <%= format_date(entry.spent_on) %> -<%=h entry.user %> +<%= link_to_user(entry.user) %> <%=h entry.activity %> -<%=h entry.project %> +<%= link_to_project(entry.project) %> <% if entry.issue -%> <%= entry.issue.visible? ? link_to_issue(entry.issue, :truncate => 50) : "##{entry.issue.id}" -%> diff --git a/app/views/trackers/index.html.erb b/app/views/trackers/index.html.erb index ab6eba57..c4981ccd 100644 --- a/app/views/trackers/index.html.erb +++ b/app/views/trackers/index.html.erb @@ -14,7 +14,7 @@ <% for tracker in @trackers %> "> - <%= link_to tracker.name, :action => 'edit', :id => tracker %> + <%= link_to h(tracker.name), :action => 'edit', :id => tracker %> <% unless tracker.workflows.count > 0 %><%= l(:text_tracker_no_workflow) %> (<%= link_to l(:button_edit), {:controller => 'workflows', :action => 'edit', :tracker_id => tracker} %>)<% end %> <%= reorder_links('tracker', {:action => 'edit', :id => tracker}) %> diff --git a/app/views/users/edit.rhtml b/app/views/users/edit.rhtml index 0d9cb013..ccf4489d 100644 --- a/app/views/users/edit.rhtml +++ b/app/views/users/edit.rhtml @@ -7,4 +7,4 @@ <%= render_tabs user_settings_tabs %> -<% html_title(l(:label_user), @user.login, l(:label_administration)) -%> +<% html_title(l(:label_user), h(@user.login), l(:label_administration)) -%> diff --git a/app/views/users/show.rhtml b/app/views/users/show.rhtml index ac93ed02..a9cd0100 100644 --- a/app/views/users/show.rhtml +++ b/app/views/users/show.rhtml @@ -70,4 +70,4 @@ <%= call_hook :view_account_right_bottom, :user => @user %>
    -<% html_title @user.name %> +<% html_title h(@user.name) %> diff --git a/app/views/versions/_issue_counts.rhtml b/app/views/versions/_issue_counts.rhtml index 71dc5787..cb957f30 100644 --- a/app/views/versions/_issue_counts.rhtml +++ b/app/views/versions/_issue_counts.rhtml @@ -15,7 +15,7 @@ <% counts.each do |count| %> - <%= link_to count[:group], {:controller => 'issues', + <%= link_to h(count[:group]), {:controller => 'issues', :action => 'index', :project_id => version.project, :set_filter => 1, diff --git a/app/views/versions/index.html.erb b/app/views/versions/index.html.erb index 2fded9c6..0d132a73 100644 --- a/app/views/versions/index.html.erb +++ b/app/views/versions/index.html.erb @@ -5,7 +5,7 @@ <% else %>
    <% @versions.each do |version| %> -

    <%= tag 'a', :name => version.name %><%= link_to_version version %>

    +

    <%= tag 'a', :name => h(version.name) %><%= link_to_version version %>

    <%= render :partial => 'versions/overview', :locals => {:version => version} %> <%= render(:partial => "wiki/content", :locals => {:content => version.wiki_page.content}) if version.wiki_page %> diff --git a/app/views/versions/show.rhtml b/app/views/versions/show.rhtml index 25d93eaf..9741356f 100644 --- a/app/views/versions/show.rhtml +++ b/app/views/versions/show.rhtml @@ -46,4 +46,4 @@ <%= call_hook :view_versions_show_bottom, :version => @version %> -<% html_title @version.name %> +<% html_title h(@version.name) %> diff --git a/app/views/wiki/annotate.rhtml b/app/views/wiki/annotate.rhtml index dfea1958..abceb4e7 100644 --- a/app/views/wiki/annotate.rhtml +++ b/app/views/wiki/annotate.rhtml @@ -3,11 +3,11 @@ <%= link_to(l(:label_history), {:action => 'history', :id => @page.title}, :class => 'icon icon-history') %>
    -

    <%= @page.pretty_title %>

    +

    <%= h(@page.pretty_title) %>

    -<%= l(:label_version) %> <%= link_to @annotate.content.version, :action => 'show', :id => @page.title, :version => @annotate.content.version %> -(<%= @annotate.content.author ? @annotate.content.author.name : "anonyme" %>, <%= format_time(@annotate.content.updated_on) %>) +<%= l(:label_version) %> <%= link_to h(@annotate.content.version), :action => 'show', :id => @page.title, :version => @annotate.content.version %> +(<%= h(@annotate.content.author ? @annotate.content.author.name : "anonyme") %>, <%= format_time(@annotate.content.updated_on) %>)

    <% colors = Hash.new {|k,v| k[v] = (k.size % 12) } %> diff --git a/app/views/wiki/date_index.html.erb b/app/views/wiki/date_index.html.erb index 611f18b2..a5000f29 100644 --- a/app/views/wiki/date_index.html.erb +++ b/app/views/wiki/date_index.html.erb @@ -12,7 +12,7 @@

    <%= format_date(date) %>

    <% end %> diff --git a/app/views/wiki/diff.rhtml b/app/views/wiki/diff.rhtml index a1006dce..e5f1666a 100644 --- a/app/views/wiki/diff.rhtml +++ b/app/views/wiki/diff.rhtml @@ -2,14 +2,14 @@ <%= link_to(l(:label_history), {:action => 'history', :id => @page.title}, :class => 'icon icon-history') %>
    -

    <%= @page.pretty_title %>

    +

    <%= h(@page.pretty_title) %>

    <%= l(:label_version) %> <%= link_to @diff.content_from.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => @diff.content_from.version %> -(<%= @diff.content_from.author ? @diff.content_from.author.name : "anonyme" %>, <%= format_time(@diff.content_from.updated_on) %>) +(<%= @diff.content_from.author ? link_to_user(@diff.content_from.author) : "anonyme" %>, <%= format_time(@diff.content_from.updated_on) %>) → <%= l(:label_version) %> <%= link_to @diff.content_to.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => @diff.content_to.version %>/<%= @page.content.version %> -(<%= @diff.content_to.author ? @diff.content_to.author.name : "anonyme" %>, <%= format_time(@diff.content_to.updated_on) %>) +(<%= @diff.content_to.author ? link_to_user(@diff.content_to.author) : "anonyme" %>, <%= format_time(@diff.content_to.updated_on) %>)

    diff --git a/app/views/wiki/edit.rhtml b/app/views/wiki/edit.rhtml index 62933ae8..d858dcff 100644 --- a/app/views/wiki/edit.rhtml +++ b/app/views/wiki/edit.rhtml @@ -26,4 +26,4 @@ <%= robot_exclusion_tag %> <% end %> -<% html_title @page.pretty_title %> +<% html_title h(@page.pretty_title) %> diff --git a/app/views/wiki/export_multiple.rhtml b/app/views/wiki/export_multiple.rhtml index 31fa557c..df8f7401 100644 --- a/app/views/wiki/export_multiple.rhtml +++ b/app/views/wiki/export_multiple.rhtml @@ -20,13 +20,13 @@ h1:hover a.wiki-anchor, h2:hover a.wiki-anchor, h3:hover a.wiki-anchor { display <%= l(:label_index_by_title) %> <% @pages.each do |page| %>
    - + <%= textilizable page.content ,:text, :wiki_links => :anchor %> <% end %> diff --git a/app/views/wiki/history.rhtml b/app/views/wiki/history.rhtml index 78598e3f..7c72242d 100644 --- a/app/views/wiki/history.rhtml +++ b/app/views/wiki/history.rhtml @@ -1,4 +1,4 @@ -

    <%= @page.pretty_title %>

    +

    <%= h(@page.pretty_title) %>

    <%= l(:label_history) %>

    @@ -18,7 +18,7 @@ <% line_num = 1 %> <% @versions.each do |ver| %> "> - <%= link_to ver.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => ver.version %> + <%= link_to h(ver.version), :action => 'show', :id => @page.title, :project_id => @page.project, :version => ver.version %> <%= radio_button_tag('version', ver.version, (line_num==1), :id => "cb-#{line_num}", :onclick => "$('cbto-#{line_num+1}').checked=true;") if show_diff && (line_num < @versions.size) %> <%= radio_button_tag('version_from', ver.version, (line_num==2), :id => "cbto-#{line_num}") if show_diff && (line_num > 1) %> <%= format_time(ver.created_at) %> diff --git a/app/views/wiki/rename.rhtml b/app/views/wiki/rename.rhtml index f94b8bc3..2defff51 100644 --- a/app/views/wiki/rename.rhtml +++ b/app/views/wiki/rename.rhtml @@ -1,4 +1,4 @@ -

    <%= l(:button_rename) %>: <%= @original_title %>

    +

    <%= l(:button_rename) %>: <%= h(@original_title) %>

    <%= error_messages_for 'page' %> diff --git a/app/views/wiki/show.rhtml b/app/views/wiki/show.rhtml index 6cc7fbc0..09d10f58 100644 --- a/app/views/wiki/show.rhtml +++ b/app/views/wiki/show.rhtml @@ -21,7 +21,7 @@ <%= link_to((l(:label_next) + ' »'), :action => 'show', :id => @page.title, :project_id => @page.project, :version => (@content.version + 1)) + " - " if @content.version < @page.content.version %> <%= link_to(l(:label_current_version), :action => 'show', :id => @page.title, :project_id => @page.project) %>
    - <%= @content.author ? @content.author.name : "anonyme" %>, <%= format_time(@content.updated_on) %>
    + <%= @content.author ? link_to_user(@content.author) : "anonyme" %>, <%= format_time(@content.updated_on) %>
    <%=h @content.comments %>

    @@ -61,4 +61,4 @@ <%= render :partial => 'wiki/sidebar' %> <% end %> -<% html_title @page.pretty_title %> +<% html_title h(@page.pretty_title) %> diff --git a/app/views/wikis/destroy.rhtml b/app/views/wikis/destroy.rhtml index b5b1de11..75c0eac2 100644 --- a/app/views/wikis/destroy.rhtml +++ b/app/views/wikis/destroy.rhtml @@ -1,7 +1,7 @@

    <%=l(:label_confirmation)%>

    -

    <%= @project.name %>
    <%=l(:text_wiki_destroy_confirmation)%>

    +

    <%= h(@project.name) %>
    <%=l(:text_wiki_destroy_confirmation)%>

    <% form_tag({:controller => 'wikis', :action => 'destroy', :id => @project}) do %> <%= hidden_field_tag "confirm", 1 %>