[#547] Security audit

This commit is contained in:
Eric Davis 2011-07-30 12:51:06 -07:00
parent bf13b0f409
commit 2c46411678
63 changed files with 94 additions and 94 deletions

View File

@ -107,7 +107,7 @@ module ApplicationHelper
text = options.delete(:text) || format_revision(revision) text = options.delete(:text) || format_revision(revision)
rev = revision.respond_to?(:identifier) ? revision.identifier : revision rev = revision.respond_to?(:identifier) ? revision.identifier : revision
link_to(text, {:controller => 'repositories', :action => 'revision', :id => project, :rev => rev}, link_to(h(text), {:controller => 'repositories', :action => 'revision', :id => project, :rev => rev},
:title => l(:label_revision_id, format_revision(revision))) :title => l(:label_revision_id, format_revision(revision)))
end end
@ -410,7 +410,7 @@ module ApplicationHelper
def html_title(*args) def html_title(*args)
if args.empty? if args.empty?
title = [] title = []
title << @project.name if @project title << h(@project.name) if @project
title += @html_title if @html_title title += @html_title if @html_title
title << Setting.app_title title << Setting.app_title
title.select {|t| !t.blank? }.join(' - ') title.select {|t| !t.blank? }.join(' - ')
@ -561,7 +561,7 @@ module ApplicationHelper
wiki_page_id = page.present? ? Wiki.titleize(page) : nil wiki_page_id = page.present? ? Wiki.titleize(page) : nil
url_for(:only_path => only_path, :controller => 'wiki', :action => 'show', :project_id => link_project, :id => wiki_page_id, :anchor => anchor) url_for(:only_path => only_path, :controller => 'wiki', :action => 'show', :project_id => link_project, :id => wiki_page_id, :anchor => anchor)
end end
link_to((title || page), url, :class => ('wiki-page' + (wiki_page ? '' : ' new'))) link_to(h(title || page), url, :class => ('wiki-page' + (wiki_page ? '' : ' new')))
else else
# project or wiki doesn't exist # project or wiki doesn't exist
all all
@ -615,7 +615,7 @@ module ApplicationHelper
if prefix.nil? && sep == 'r' if prefix.nil? && sep == 'r'
# project.changesets.visible raises an SQL error because of a double join on repositories # project.changesets.visible raises an SQL error because of a double join on repositories
if project && project.repository && (changeset = Changeset.visible.find_by_repository_id_and_revision(project.repository.id, identifier)) if project && project.repository && (changeset = Changeset.visible.find_by_repository_id_and_revision(project.repository.id, identifier))
link = link_to("#{project_prefix}r#{identifier}", {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.revision}, link = link_to(h("#{project_prefix}r#{identifier}"), {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.revision},
:class => 'changeset', :class => 'changeset',
:title => truncate_single_line(changeset.comments, :length => 100)) :title => truncate_single_line(changeset.comments, :length => 100))
end end
@ -665,7 +665,7 @@ module ApplicationHelper
if project && project.repository && (changeset = Changeset.visible.find(:first, :conditions => ["repository_id = ? AND scmid LIKE ?", project.repository.id, "#{name}%"])) if project && project.repository && (changeset = Changeset.visible.find(:first, :conditions => ["repository_id = ? AND scmid LIKE ?", project.repository.id, "#{name}%"]))
link = link_to h("#{project_prefix}#{name}"), {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.identifier}, link = link_to h("#{project_prefix}#{name}"), {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.identifier},
:class => 'changeset', :class => 'changeset',
:title => truncate_single_line(changeset.comments, :length => 100) :title => truncate_single_line(h(changeset.comments), :length => 100)
end end
when 'source', 'export' when 'source', 'export'
if project && project.repository && User.current.allowed_to?(:browse_repository, project) if project && project.repository && User.current.allowed_to?(:browse_repository, project)
@ -831,7 +831,7 @@ module ApplicationHelper
options[:class] << ' disabled' options[:class] << ' disabled'
url = '#' url = '#'
end end
link_to name, url, options link_to h(name), url, options
end end
def calendar_for(field_id) def calendar_for(field_id)

View File

@ -45,6 +45,6 @@ module CalendarsHelper
end end
def link_to_month(link_name, year, month, options={}) def link_to_month(link_name, year, month, options={})
link_to_content_update(link_name, params.merge(:year => year, :month => month)) link_to_content_update(h(link_name), params.merge(:year => year, :month => month))
end end
end end

View File

@ -53,7 +53,7 @@ module CustomFieldsHelper
# Return custom field label tag # Return custom field label tag
def custom_field_label_tag(name, custom_value) def custom_field_label_tag(name, custom_value)
content_tag "label", custom_value.custom_field.name + content_tag "label", h(custom_value.custom_field.name) +
(custom_value.custom_field.is_required? ? " <span class=\"required\">*</span>" : ""), (custom_value.custom_field.is_required? ? " <span class=\"required\">*</span>" : ""),
:for => "#{name}_custom_field_values_#{custom_value.custom_field.id}", :for => "#{name}_custom_field_values_#{custom_value.custom_field.id}",
:class => (custom_value.errors.empty? ? nil : "error" ) :class => (custom_value.errors.empty? ? nil : "error" )

View File

@ -44,11 +44,11 @@ module IssuesHelper
link_to_issue(issue) + "<br /><br />" + link_to_issue(issue) + "<br /><br />" +
"<strong>#{@cached_label_project}</strong>: #{link_to_project(issue.project)}<br />" + "<strong>#{@cached_label_project}</strong>: #{link_to_project(issue.project)}<br />" +
"<strong>#{@cached_label_status}</strong>: #{issue.status.name}<br />" + "<strong>#{@cached_label_status}</strong>: #{h(issue.status.name)}<br />" +
"<strong>#{@cached_label_start_date}</strong>: #{format_date(issue.start_date)}<br />" + "<strong>#{@cached_label_start_date}</strong>: #{format_date(issue.start_date)}<br />" +
"<strong>#{@cached_label_due_date}</strong>: #{format_date(issue.due_date)}<br />" + "<strong>#{@cached_label_due_date}</strong>: #{format_date(issue.due_date)}<br />" +
"<strong>#{@cached_label_assigned_to}</strong>: #{issue.assigned_to}<br />" + "<strong>#{@cached_label_assigned_to}</strong>: #{h(issue.assigned_to)}<br />" +
"<strong>#{@cached_label_priority}</strong>: #{issue.priority.name}" "<strong>#{@cached_label_priority}</strong>: #{h(issue.priority.name)}"
end end
def render_issue_subject_with_tree(issue) def render_issue_subject_with_tree(issue)
@ -114,7 +114,7 @@ module IssuesHelper
# links to #index on issues/show # links to #index on issues/show
url_params = controller_name == 'issues' ? {:controller => 'issues', :action => 'index', :project_id => @project} : params url_params = controller_name == 'issues' ? {:controller => 'issues', :action => 'index', :project_id => @project} : params
content_tag('h3', title) + content_tag('h3', h(title)) +
queries.collect {|query| queries.collect {|query|
link_to(h(query.name), url_params.merge(:query_id => query)) link_to(h(query.name), url_params.merge(:query_id => query))
}.join('<br />') }.join('<br />')

View File

@ -20,7 +20,7 @@ module QueriesHelper
def column_header(column) def column_header(column)
column.sortable ? sort_header_tag(column.name.to_s, :caption => column.caption, column.sortable ? sort_header_tag(column.name.to_s, :caption => column.caption,
:default_order => column.default_order) : :default_order => column.default_order) :
content_tag('th', column.caption) content_tag('th', h(column.caption))
end end
def column_content(column, issue) def column_content(column, issue)
@ -41,7 +41,7 @@ module QueriesHelper
if column.name == :done_ratio if column.name == :done_ratio
progress_bar(value, :width => '80px') progress_bar(value, :width => '80px')
else else
value.to_s h(value.to_s)
end end
when 'User' when 'User'
link_to_user value link_to_user value

View File

@ -27,6 +27,6 @@ module ReportsHelper
def aggregate_link(data, criteria, *args) def aggregate_link(data, criteria, *args)
a = aggregate data, criteria a = aggregate data, criteria
a > 0 ? link_to(a, *args) : '-' a > 0 ? link_to(h(a), *args) : '-'
end end
end end

View File

@ -83,7 +83,7 @@ module RepositoriesHelper
if s = tree[file][:s] if s = tree[file][:s]
style << ' folder' style << ' folder'
path_param = to_path_param(@repository.relative_path(file)) path_param = to_path_param(@repository.relative_path(file))
text = link_to(text, :controller => 'repositories', text = link_to(h(text), :controller => 'repositories',
:action => 'show', :action => 'show',
:id => @project, :id => @project,
:path => path_param, :path => path_param,
@ -93,18 +93,18 @@ module RepositoriesHelper
elsif c = tree[file][:c] elsif c = tree[file][:c]
style << " change-#{c.action}" style << " change-#{c.action}"
path_param = to_path_param(@repository.relative_path(c.path)) path_param = to_path_param(@repository.relative_path(c.path))
text = link_to(text, :controller => 'repositories', text = link_to(h(text), :controller => 'repositories',
:action => 'entry', :action => 'entry',
:id => @project, :id => @project,
:path => path_param, :path => path_param,
:rev => @changeset.identifier) unless c.action == 'D' :rev => @changeset.identifier) unless c.action == 'D'
text << " - #{c.revision}" unless c.revision.blank? text << " - #{h(c.revision)}" unless c.revision.blank?
text << ' (' + link_to('diff', :controller => 'repositories', text << ' (' + link_to('diff', :controller => 'repositories',
:action => 'diff', :action => 'diff',
:id => @project, :id => @project,
:path => path_param, :path => path_param,
:rev => @changeset.identifier) + ') ' if c.action == 'M' :rev => @changeset.identifier) + ') ' if c.action == 'M'
text << ' ' + content_tag('span', c.from_path, :class => 'copied-from') unless c.from_path.blank? text << ' ' + content_tag('span', h(c.from_path), :class => 'copied-from') unless c.from_path.blank?
output << "<li class='#{style}'>#{text}</li>" output << "<li class='#{style}'>#{text}</li>"
end end
end end

View File

@ -53,7 +53,7 @@ module SearchHelper
c = results_by_type[t] c = results_by_type[t]
next if c == 0 next if c == 0
text = "#{type_label(t)} (#{c})" text = "#{type_label(t)} (#{c})"
links << link_to(text, :q => params[:q], :titles_only => params[:title_only], :all_words => params[:all_words], :scope => params[:scope], t => 1) links << link_to(h(text), :q => params[:q], :titles_only => params[:title_only], :all_words => params[:all_words], :scope => params[:scope], t => 1)
end end
('<ul>' + links.map {|link| content_tag('li', link)}.join(' ') + '</ul>') unless links.empty? ('<ul>' + links.map {|link| content_tag('li', link)}.join(' ') + '</ul>') unless links.empty?
end end

View File

@ -218,7 +218,7 @@ module SortHelper
# Add project_id to url_options # Add project_id to url_options
url_options = url_options.merge(:project_id => params[:project_id]) if params.has_key?(:project_id) url_options = url_options.merge(:project_id => params[:project_id]) if params.has_key?(:project_id)
link_to_content_update(caption, url_options, :class => css) link_to_content_update(h(caption), url_options, :class => css)
end end
# Returns a table header <th> tag with a sort link for the named column # Returns a table header <th> tag with a sort link for the named column

View File

@ -125,7 +125,7 @@ module TimelogHelper
elsif k = @available_criterias[criteria][:klass] elsif k = @available_criterias[criteria][:klass]
obj = k.find_by_id(value.to_i) obj = k.find_by_id(value.to_i)
if obj.is_a?(Issue) if obj.is_a?(Issue)
obj.visible? ? "#{obj.tracker} ##{obj.id}: #{obj.subject}" : "##{obj.id}" obj.visible? ? h("#{obj.tracker} ##{obj.id}: #{obj.subject}") : h("##{obj.id}")
else else
obj obj
end end

View File

@ -12,7 +12,7 @@
<%= content_tag('span', h(e.project), :class => 'project') if @project.nil? || @project != e.project %> <%= content_tag('span', h(e.project), :class => 'project') if @project.nil? || @project != e.project %>
<%= link_to format_activity_title(e.event_title), e.event_url %></dt> <%= link_to format_activity_title(e.event_title), e.event_url %></dt>
<dd><span class="description"><%= format_activity_description(e.event_description) %></span> <dd><span class="description"><%= format_activity_description(e.event_description) %></span>
<span class="author"><%= e.event_author if e.respond_to?(:event_author) %></span></dd> <span class="author"><%= link_to_user(e.event_author) if e.respond_to?(:event_author) %></span></dd>
<% end -%> <% end -%>
</dl> </dl>
<% end -%> <% end -%>

View File

@ -11,7 +11,7 @@
:title => l(:button_delete) %> :title => l(:button_delete) %>
<% end %> <% end %>
<% if options[:author] %> <% if options[:author] %>
<span class="author"><%= attachment.author %>, <%= format_time(attachment.created_on) %></span> <span class="author"><%= h(attachment.author) %>, <%= format_time(attachment.created_on) %></span>
<% end %> <% end %>
</p> </p>
<% end %> <% end %>

View File

@ -2,7 +2,7 @@
<div class="attachments"> <div class="attachments">
<p><%= h("#{@attachment.description} - ") unless @attachment.description.blank? %> <p><%= h("#{@attachment.description} - ") unless @attachment.description.blank? %>
<span class="author"><%= @attachment.author %>, <%= format_time(@attachment.created_on) %></span></p> <span class="author"><%= link_to_user(@attachment.author) %>, <%= format_time(@attachment.created_on) %></span></p>
<p><%= link_to_attachment @attachment, :text => l(:button_download), :download => true -%> <p><%= link_to_attachment @attachment, :text => l(:button_download), :download => true -%>
<span class="size">(<%= number_to_human_size @attachment.filesize %>)</span></p> <span class="size">(<%= number_to_human_size @attachment.filesize %>)</span></p>
@ -10,7 +10,7 @@
&nbsp; &nbsp;
<%= render :partial => 'common/diff', :locals => {:diff => @diff, :diff_type => @diff_type} %> <%= render :partial => 'common/diff', :locals => {:diff => @diff, :diff_type => @diff_type} %>
<% html_title @attachment.filename %> <% html_title h(@attachment.filename) %>
<% content_for :header_tags do -%> <% content_for :header_tags do -%>
<%= stylesheet_link_tag "scm" -%> <%= stylesheet_link_tag "scm" -%>

View File

@ -2,7 +2,7 @@
<div class="attachments"> <div class="attachments">
<p><%= h("#{@attachment.description} - ") unless @attachment.description.blank? %> <p><%= h("#{@attachment.description} - ") unless @attachment.description.blank? %>
<span class="author"><%= @attachment.author %>, <%= format_time(@attachment.created_on) %></span></p> <span class="author"><%= link_to_user(@attachment.author) %>, <%= format_time(@attachment.created_on) %></span></p>
<p><%= link_to_attachment @attachment, :text => l(:button_download), :download => true -%> <p><%= link_to_attachment @attachment, :text => l(:button_download), :download => true -%>
<span class="size">(<%= number_to_human_size @attachment.filesize %>)</span></p> <span class="size">(<%= number_to_human_size @attachment.filesize %>)</span></p>
@ -10,7 +10,7 @@
&nbsp; &nbsp;
<%= render :partial => 'common/file', :locals => {:content => @content, :filename => @attachment.filename} %> <%= render :partial => 'common/file', :locals => {:content => @content, :filename => @attachment.filename} %>
<% html_title @attachment.filename %> <% html_title h(@attachment.filename) %>
<% content_for :header_tags do -%> <% content_for :header_tags do -%>
<%= stylesheet_link_tag "scm" -%> <%= stylesheet_link_tag "scm" -%>

View File

@ -1,4 +1,4 @@
<h2><%=l(:label_auth_source)%> (<%= @auth_source.auth_method_name %>)</h2> <h2><%=l(:label_auth_source)%> (<%= h(@auth_source.auth_method_name) %>)</h2>
<% form_tag({:action => 'update', :id => @auth_source}, :class => "tabular") do %> <% form_tag({:action => 'update', :id => @auth_source}, :class => "tabular") do %>
<%= render :partial => 'form' %> <%= render :partial => 'form' %>

View File

@ -1,4 +1,4 @@
<h2><%=l(:label_auth_source_new)%> (<%= @auth_source.auth_method_name %>)</h2> <h2><%=l(:label_auth_source_new)%> (<%= h(@auth_source.auth_method_name) %>)</h2>
<% form_tag({:action => 'create'}, :class => "tabular") do %> <% form_tag({:action => 'create'}, :class => "tabular") do %>
<%= render :partial => 'form' %> <%= render :partial => 'form' %>

View File

@ -43,7 +43,7 @@
<% @topics.each do |topic| %> <% @topics.each do |topic| %>
<tr class="message <%= cycle 'odd', 'even' %> <%= topic.sticky? ? 'sticky' : '' %> <%= topic.locked? ? 'locked' : '' %>"> <tr class="message <%= cycle 'odd', 'even' %> <%= topic.sticky? ? 'sticky' : '' %> <%= topic.locked? ? 'locked' : '' %>">
<td class="subject"><%= link_to h(topic.subject), { :controller => 'messages', :action => 'show', :board_id => @board, :id => topic } %></td> <td class="subject"><%= link_to h(topic.subject), { :controller => 'messages', :action => 'show', :board_id => @board, :id => topic } %></td>
<td class="author" align="center"><%= topic.author %></td> <td class="author" align="center"><%= link_to_user(topic.author) %></td>
<td class="created_on" align="center"><%= format_time(topic.created_on) %></td> <td class="created_on" align="center"><%= format_time(topic.created_on) %></td>
<td class="replies" align="center"><%= topic.replies_count %></td> <td class="replies" align="center"><%= topic.replies_count %></td>
<td class="last_message"> <td class="last_message">

View File

@ -5,7 +5,7 @@
<% if diff.diff_type == 'sbs' -%> <% if diff.diff_type == 'sbs' -%>
<table class="filecontent"> <table class="filecontent">
<thead> <thead>
<tr><th colspan="4" class="filename"><%=to_utf8_for_attachments table_file.file_name %></th></tr> <tr><th colspan="4" class="filename"><%= h(to_utf8_for_attachments(table_file.file_name)) %></th></tr>
</thead> </thead>
<tbody> <tbody>
<% table_file.each_line do |spacing, line| -%> <% table_file.each_line do |spacing, line| -%>
@ -31,7 +31,7 @@
<% else -%> <% else -%>
<table class="filecontent"> <table class="filecontent">
<thead> <thead>
<tr><th colspan="3" class="filename"><%=to_utf8_for_attachments table_file.file_name %></th></tr> <tr><th colspan="3" class="filename"><%= h(to_utf8_for_attachments(table_file.file_name)) %></th></tr>
</thead> </thead>
<tbody> <tbody>
<% table_file.each_line do |spacing, line| %> <% table_file.each_line do |spacing, line| %>

View File

@ -3,4 +3,4 @@
<p id="errorExplanation"><%=h @message %></p> <p id="errorExplanation"><%=h @message %></p>
<p><a href="javascript:history.back()">Back</a></p> <p><a href="javascript:history.back()">Back</a></p>
<% html_title @status %> <% html_title h(@status) %>

View File

@ -82,7 +82,7 @@ when "IssueCustomField" %>
<fieldset><legend><%=l(:label_tracker_plural)%></legend> <fieldset><legend><%=l(:label_tracker_plural)%></legend>
<% for tracker in @trackers %> <% for tracker in @trackers %>
<%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%= tracker.name %> <%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%= h(tracker.name) %>
<% end %> <% end %>
<%= hidden_field_tag "custom_field[tracker_ids][]", '' %> <%= hidden_field_tag "custom_field[tracker_ids][]", '' %>
</fieldset> </fieldset>

View File

@ -13,7 +13,7 @@
<tbody> <tbody>
<% (@custom_fields_by_type[tab[:name]] || []).sort.each do |custom_field| -%> <% (@custom_fields_by_type[tab[:name]] || []).sort.each do |custom_field| -%>
<tr class="<%= cycle("odd", "even") %>"> <tr class="<%= cycle("odd", "even") %>">
<td><%= link_to custom_field.name, :action => 'edit', :id => custom_field %></td> <td><%= link_to h(custom_field.name), :action => 'edit', :id => custom_field %></td>
<td align="center"><%= l(Redmine::CustomFieldFormat.label_for(custom_field.field_format)) %></td> <td align="center"><%= l(Redmine::CustomFieldFormat.label_for(custom_field.field_format)) %></td>
<td align="center"><%= checked_image custom_field.is_required? %></td> <td align="center"><%= checked_image custom_field.is_required? %></td>
<% if tab[:name] == 'IssueCustomField' %> <% if tab[:name] == 'IssueCustomField' %>

View File

@ -25,7 +25,7 @@
<% end %> <% end %>
<% end %> <% end %>
<% html_title @document.title -%> <% html_title h(@document.title) -%>
<% content_for :header_tags do %> <% content_for :header_tags do %>
<%= stylesheet_link_tag 'scm' %> <%= stylesheet_link_tag 'scm' %>

View File

@ -101,7 +101,7 @@ height = (show_weeks ? header_heigth : header_heigth + g_height)
width = ((month_f >> 1) - month_f) * zoom - 1 width = ((month_f >> 1) - month_f) * zoom - 1
%> %>
<div style="left:<%= left %>px;width:<%= width %>px;height:<%= height %>px;" class="gantt_hdr"> <div style="left:<%= left %>px;width:<%= width %>px;height:<%= height %>px;" class="gantt_hdr">
<%= link_to "#{month_f.year}-#{month_f.month}", @gantt.params.merge(:year => month_f.year, :month => month_f.month), :title => "#{month_name(month_f.month)} #{month_f.year}"%> <%= link_to h("#{month_f.year}-#{month_f.month}"), @gantt.params.merge(:year => month_f.year, :month => month_f.month), :title => "#{month_name(month_f.month)} #{month_f.year}"%>
</div> </div>
<% <%
left = left + width + 1 left = left + width + 1

View File

@ -19,7 +19,7 @@
<tbody> <tbody>
<% for status in @issue_statuses %> <% for status in @issue_statuses %>
<tr class="<%= cycle("odd", "even") %>"> <tr class="<%= cycle("odd", "even") %>">
<td><%= link_to status.name, :action => 'edit', :id => status %></td> <td><%= link_to h(status.name), :action => 'edit', :id => status %></td>
<% if Issue.use_status_for_done_ratio? %> <% if Issue.use_status_for_done_ratio? %>
<td align="center"><%= h status.default_done_ratio %></td> <td align="center"><%= h status.default_done_ratio %></td>
<% end %> <% end %>

View File

@ -4,7 +4,7 @@
<% if @issue.new_record? || @allowed_statuses.any? %> <% if @issue.new_record? || @allowed_statuses.any? %>
<p><%= f.select :status_id, (@allowed_statuses.collect {|p| [p.name, p.id]}), :required => true %></p> <p><%= f.select :status_id, (@allowed_statuses.collect {|p| [p.name, p.id]}), :required => true %></p>
<% else %> <% else %>
<p><label><%= l(:field_status) %></label> <%= @issue.status.name %></p> <p><label><%= l(:field_status) %></label> <%= h(@issue.status.name) %></p>
<% end %> <% end %>
<p><%= f.select :priority_id, (@priorities.collect {|p| [p.name, p.id]}), {:required => true}, :disabled => !@issue.leaf? %></p> <p><%= f.select :priority_id, (@priorities.collect {|p| [p.name, p.id]}), {:required => true}, :disabled => !@issue.leaf? %></p>

View File

@ -9,10 +9,10 @@
</tr></thead> </tr></thead>
<tbody> <tbody>
<% for issue in issues %> <% for issue in issues %>
<tr id="issue-<%= issue.id %>" class="hascontextmenu <%= cycle('odd', 'even') %> <%= issue.css_classes %>"> <tr id="issue-<%= h(issue.id) %>" class="hascontextmenu <%= cycle('odd', 'even') %> <%= issue.css_classes %>">
<td class="id"> <td class="id">
<%= check_box_tag("ids[]", issue.id, false, :style => 'display:none;') %> <%= check_box_tag("ids[]", issue.id, false, :style => 'display:none;') %>
<%= link_to issue.id, :controller => 'issues', :action => 'show', :id => issue %> <%= link_to(h(issue.id), :controller => 'issues', :action => 'show', :id => issue) %>
</td> </td>
<td class="project"><%= link_to_project(issue.project) %></td> <td class="project"><%= link_to_project(issue.project) %></td>
<td class="tracker"><%=h issue.tracker %></td> <td class="tracker"><%=h issue.tracker %></td>

View File

@ -14,7 +14,7 @@
<%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %> <%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %>
<%= link_to_issue(relation.other_issue(@issue), :truncate => 60) %> <%= link_to_issue(relation.other_issue(@issue), :truncate => 60) %>
</td> </td>
<td><%= relation.other_issue(@issue).status.name %></td> <td><%= h(relation.other_issue(@issue).status.name) %></td>
<td><%= format_date(relation.other_issue(@issue).start_date) %></td> <td><%= format_date(relation.other_issue(@issue).start_date) %></td>
<td><%= format_date(relation.other_issue(@issue).due_date) %></td> <td><%= format_date(relation.other_issue(@issue).due_date) %></td>
<td><%= link_to_remote(image_tag('delete.png'), { :url => {:controller => 'issue_relations', :action => 'destroy', :issue_id => @issue, :id => relation}, <td><%= link_to_remote(image_tag('delete.png'), { :url => {:controller => 'issue_relations', :action => 'destroy', :issue_id => @issue, :id => relation},

View File

@ -6,7 +6,7 @@
</div> </div>
<h2><%= @query.new_record? ? l(:label_issue_plural) : h(@query.name) %></h2> <h2><%= @query.new_record? ? l(:label_issue_plural) : h(@query.name) %></h2>
<% html_title(@query.new_record? ? l(:label_issue_plural) : @query.name) %> <% html_title(@query.new_record? ? l(:label_issue_plural) : h(@query.name)) %>
<% form_tag({ :controller => 'queries', :action => 'new' }, :id => 'query_form') do %> <% form_tag({ :controller => 'queries', :action => 'new' }, :id => 'query_form') do %>
<%= hidden_field_tag('project_id', @project.to_param) if @project %> <%= hidden_field_tag('project_id', @project.to_param) if @project %>

View File

@ -113,7 +113,7 @@
<%= f.link_to 'PDF' %> <%= f.link_to 'PDF' %>
<% end %> <% end %>
<% html_title "#{@issue.tracker.name} ##{@issue.id}: #{@issue.subject}" %> <% html_title h("#{@issue.tracker.name} ##{@issue.id}: #{@issue.subject}") %>
<% content_for :sidebar do %> <% content_for :sidebar do %>
<%= render :partial => 'issues/sidebar' %> <%= render :partial => 'issues/sidebar' %>

View File

@ -1,2 +1,2 @@
<p><%= l(:notice_account_activated) %></p> <p><%= l(:notice_account_activated) %></p>
<p><%= l(:label_login) %>: <%= link_to @login_url, @login_url %></p> <p><%= l(:label_login) %>: <%= link_to h(@login_url), @login_url %></p>

View File

@ -1,2 +1,2 @@
<p><%= l(:mail_body_account_activation_request, h(@user.login)) %></p> <p><%= l(:mail_body_account_activation_request, h(@user.login)) %></p>
<p><%= link_to @url, @url %></p> <p><%= link_to h(@url), @url %></p>

View File

@ -1,4 +1,4 @@
<%= link_to @added_to, @added_to_url %><br /> <%= link_to h(@added_to), @added_to_url %><br />
<ul><% @attachments.each do |attachment | %> <ul><% @attachments.each do |attachment | %>
<li><%=h attachment.filename %></li> <li><%=h attachment.filename %></li>

View File

@ -2,7 +2,7 @@
<ul> <ul>
<% @issues.each do |issue| -%> <% @issues.each do |issue| -%>
<li><%=h issue.project %> - <%=link_to("#{issue.tracker} ##{issue.id}", :controller => 'issues', :action => 'show', :id => issue, :only_path => false)%>: <%=h issue.subject %></li> <li><%=h issue.project %> - <%=link_to(h("#{issue.tracker} ##{issue.id}"), :controller => 'issues', :action => 'show', :id => issue, :only_path => false)%>: <%=h issue.subject %></li>
<% end -%> <% end -%>
</ul> </ul>

View File

@ -3,4 +3,4 @@
<em><%=h @wiki_content.comments %></em></p> <em><%=h @wiki_content.comments %></em></p>
<p><%= l(:label_view_diff) %>:<br /> <p><%= l(:label_view_diff) %>:<br />
<%= link_to @wiki_diff_url, @wiki_diff_url %></p> <%= link_to h(@wiki_diff_url), @wiki_diff_url %></p>

View File

@ -63,7 +63,7 @@
<% end %> <% end %>
<% end %> <% end %>
<% html_title @news.title -%> <% html_title h(@news.title) -%>
<% content_for :header_tags do %> <% content_for :header_tags do %>
<%= stylesheet_link_tag 'scm' %> <%= stylesheet_link_tag 'scm' %>

View File

@ -42,7 +42,7 @@
<% @trackers.each do |tracker| %> <% @trackers.each do |tracker| %>
<label class="floating"> <label class="floating">
<%= check_box_tag 'project[tracker_ids][]', tracker.id, @project.trackers.include?(tracker) %> <%= check_box_tag 'project[tracker_ids][]', tracker.id, @project.trackers.include?(tracker) %>
<%= tracker %> <%= h(tracker) %>
</label> </label>
<% end %> <% end %>
<%= hidden_field_tag 'project[tracker_ids][]', '' %> <%= hidden_field_tag 'project[tracker_ids][]', '' %>
@ -54,7 +54,7 @@
<% @issue_custom_fields.each do |custom_field| %> <% @issue_custom_fields.each do |custom_field| %>
<label class="floating"> <label class="floating">
<%= check_box_tag 'project[issue_custom_field_ids][]', custom_field.id, (@project.all_issue_custom_fields.include? custom_field), (custom_field.is_for_all? ? {:disabled => "disabled"} : {}) %> <%= check_box_tag 'project[issue_custom_field_ids][]', custom_field.id, (@project.all_issue_custom_fields.include? custom_field), (custom_field.is_for_all? ? {:disabled => "disabled"} : {}) %>
<%= custom_field.name %> <%= h(custom_field.name) %>
</label> </label>
<% end %> <% end %>
<%= hidden_field_tag 'project[issue_custom_field_ids][]', '' %> <%= hidden_field_tag 'project[issue_custom_field_ids][]', '' %>

View File

@ -4,7 +4,7 @@
<% members = @members.group_by {|m| m.role } %> <% members = @members.group_by {|m| m.role } %>
<% members.keys.sort{|x,y| x.position <=> y.position}.each do |role| %> <% members.keys.sort{|x,y| x.position <=> y.position}.each do |role| %>
<h3><%= role.name %></h3> <h3><%= h(role.name) %></h3>
<ul> <ul>
<% members[role].each do |m| %> <% members[role].each do |m| %>
<li><%= link_to_user m.user %> (<%= format_date m.created_on %>)</li> <li><%= link_to_user m.user %> (<%= format_date m.created_on %>)</li>

View File

@ -18,7 +18,7 @@
<% end %> <% end %>
<% @project.visible_custom_field_values.each do |custom_value| %> <% @project.visible_custom_field_values.each do |custom_value| %>
<% if !custom_value.value.blank? %> <% if !custom_value.value.blank? %>
<li><%= custom_value.custom_field.name%>: <%=h show_value(custom_value) %></li> <li><%= h(custom_value.custom_field.name) %>: <%=h show_value(custom_value) %></li>
<% end %> <% end %>
<% end %> <% end %>
</ul> </ul>
@ -28,7 +28,7 @@
<h3><%=l(:label_issue_tracking)%></h3> <h3><%=l(:label_issue_tracking)%></h3>
<ul> <ul>
<% for tracker in @trackers %> <% for tracker in @trackers %>
<li><%= link_to tracker.name, :controller => 'issues', :action => 'index', :project_id => @project, <li><%= link_to h(tracker.name), :controller => 'issues', :action => 'index', :project_id => @project,
:set_filter => 1, :set_filter => 1,
"tracker_id" => tracker.id %>: "tracker_id" => tracker.id %>:
<%= l(:label_x_open_issues_abbr_on_total, :count => @open_issues_by_tracker[tracker].to_i, <%= l(:label_x_open_issues_abbr_on_total, :count => @open_issues_by_tracker[tracker].to_i,

View File

@ -11,7 +11,7 @@
<% @queries.each do |query| %> <% @queries.each do |query| %>
<tr class="<%= cycle('odd', 'even') %>"> <tr class="<%= cycle('odd', 'even') %>">
<td> <td>
<%= link_to query.name, :controller => 'issues', :action => 'index', :project_id => @project, :query_id => query %> <%= link_to h(query.name), :controller => 'issues', :action => 'index', :project_id => @project, :query_id => query %>
</td> </td>
<td align="right"> <td align="right">
<small> <small>

View File

@ -6,7 +6,7 @@
<thead><tr> <thead><tr>
<th style="width:25%"></th> <th style="width:25%"></th>
<% for status in @statuses %> <% for status in @statuses %>
<th style="width:<%= col_width %>%"><%= status.name %></th> <th style="width:<%= col_width %>%"><%= h(status.name) %></th>
<% end %> <% end %>
<th align="center" style="width:<%= col_width %>%"><strong><%=l(:label_open_issues_plural)%></strong></th> <th align="center" style="width:<%= col_width %>%"><strong><%=l(:label_open_issues_plural)%></strong></th>
<th align="center" style="width:<%= col_width %>%"><strong><%=l(:label_closed_issues_plural)%></strong></th> <th align="center" style="width:<%= col_width %>%"><strong><%=l(:label_closed_issues_plural)%></strong></th>
@ -15,7 +15,7 @@
<tbody> <tbody>
<% for row in rows %> <% for row in rows %>
<tr class="<%= cycle("odd", "even") %>"> <tr class="<%= cycle("odd", "even") %>">
<td><%= link_to row.name, :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), <td><%= link_to h(row.name), :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)),
:set_filter => 1, :set_filter => 1,
:subproject_id => '!*', :subproject_id => '!*',
"#{field_name}" => row.id %></td> "#{field_name}" => row.id %></td>

View File

@ -11,7 +11,7 @@
<tbody> <tbody>
<% for row in rows %> <% for row in rows %>
<tr class="<%= cycle("odd", "even") %>"> <tr class="<%= cycle("odd", "even") %>">
<td><%= link_to row.name, :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), <td><%= link_to h(row.name), :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)),
:set_filter => 1, :set_filter => 1,
:subproject_id => '!*', :subproject_id => '!*',
"#{field_name}" => row.id %></td> "#{field_name}" => row.id %></td>

View File

@ -25,4 +25,4 @@ dirs.each do |dir|
%> %>
<%= "@ #{h rev_text}" unless rev_text.blank? %> <%= "@ #{h rev_text}" unless rev_text.blank? %>
<% html_title(with_leading_slash(path)) -%> <% html_title(h(with_leading_slash(path))) -%>

View File

@ -3,7 +3,7 @@
depth = params[:depth].to_i %> depth = params[:depth].to_i %>
<% ent_path = replace_invalid_utf8(entry.path) %> <% ent_path = replace_invalid_utf8(entry.path) %>
<% ent_name = replace_invalid_utf8(entry.name) %> <% ent_name = replace_invalid_utf8(entry.name) %>
<tr id="<%= tr_id %>" class="<%= h params[:parent_id] %> entry <%= entry.kind %>"> <tr id="<%= tr_id %>" class="<%= h params[:parent_id] %> entry <%= h(entry.kind) %>">
<td style="padding-left: <%=18 * depth%>px;" class="filename"> <td style="padding-left: <%=18 * depth%>px;" class="filename">
<% if entry.is_dir? %> <% if entry.is_dir? %>
<span class="expander" onclick="<%= remote_function :url => {:action => 'show', :id => @project, :path => to_path_param(ent_path), :rev => @rev, :depth => (depth + 1), :parent_id => tr_id}, <span class="expander" onclick="<%= remote_function :url => {:action => 'show', :id => @project, :path => to_path_param(ent_path), :rev => @rev, :depth => (depth + 1), :parent_id => tr_id},
@ -21,7 +21,7 @@
<% changeset = @project.repository.find_changeset_by_name(entry.lastrev.identifier) if entry.lastrev && entry.lastrev.identifier %> <% changeset = @project.repository.find_changeset_by_name(entry.lastrev.identifier) if entry.lastrev && entry.lastrev.identifier %>
<td class="revision"><%= link_to_revision(changeset, @project) if changeset %></td> <td class="revision"><%= link_to_revision(changeset, @project) if changeset %></td>
<td class="age"><%= distance_of_time_in_words(entry.lastrev.time, Time.now) if entry.lastrev && entry.lastrev.time %></td> <td class="age"><%= distance_of_time_in_words(entry.lastrev.time, Time.now) if entry.lastrev && entry.lastrev.time %></td>
<td class="author"><%= changeset.nil? ? h(replace_invalid_utf8(entry.lastrev.author.to_s.split('<').first)) : changeset.author if entry.lastrev %></td> <td class="author"><%= changeset.nil? ? h(replace_invalid_utf8(entry.lastrev.author.to_s.split('<').first)) : h(changeset.author) if entry.lastrev %></td>
<td class="comments"><%=h truncate(Changeset.to_utf8(changeset.comments, changeset.repository.repo_log_encoding), :length => 50) unless changeset.nil? %></td> <td class="comments"><%=h truncate(Changeset.to_utf8(changeset.comments, changeset.repository.repo_log_encoding), :length => 50) unless changeset.nil? %></td>
</tr> </tr>
<% end %> <% end %>

View File

@ -16,7 +16,7 @@
<%= f.link_to 'Diff', :url => params, :caption => 'Unified diff' %> <%= f.link_to 'Diff', :url => params, :caption => 'Unified diff' %>
<% end %> <% end %>
<% html_title(with_leading_slash(@path), 'Diff') -%> <% html_title(h(with_leading_slash(@path)), 'Diff') -%>
<% content_for :header_tags do %> <% content_for :header_tags do %>
<%= stylesheet_link_tag "scm" %> <%= stylesheet_link_tag "scm" %>

View File

@ -21,7 +21,7 @@
<h2><%= l(:label_revision) %> <%= format_revision(@changeset) %></h2> <h2><%= l(:label_revision) %> <%= format_revision(@changeset) %></h2>
<p><% if @changeset.scmid %>ID: <%= @changeset.scmid %><br /><% end %> <p><% if @changeset.scmid %>ID: <%= h(@changeset.scmid) %><br /><% end %>
<span class="author"><%= authoring(@changeset.committed_on, @changeset.author) %></span></p> <span class="author"><%= authoring(@changeset.committed_on, @changeset.author) %></span></p>
<%= textilizable @changeset.comments %> <%= textilizable @changeset.comments %>

View File

@ -13,7 +13,7 @@
<tbody> <tbody>
<% for role in @roles %> <% for role in @roles %>
<tr class="<%= cycle("odd", "even") %>"> <tr class="<%= cycle("odd", "even") %>">
<td><%= content_tag(role.builtin? ? 'em' : 'span', link_to(role.name, :action => 'edit', :id => role)) %></td> <td><%= content_tag(role.builtin? ? 'em' : 'span', link_to(h(role.name), :action => 'edit', :id => role)) %></td>
<td align="center" style="width:15%;"> <td align="center" style="width:15%;">
<% unless role.builtin? %> <% unless role.builtin? %>
<%= reorder_links('role', {:action => 'edit', :id => role}) %> <%= reorder_links('role', {:action => 'edit', :id => role}) %>

View File

@ -31,9 +31,9 @@
<% @results.each do |e| %> <% @results.each do |e| %>
<dt class="<%= e.event_type %>"> <dt class="<%= e.event_type %>">
<%= content_tag('span', h(e.project), :class => 'project') unless @project == e.project %> <%= content_tag('span', h(e.project), :class => 'project') unless @project == e.project %>
<%= link_to highlight_tokens(truncate(e.event_title, :length => 255), @tokens), e.event_url %> <%= link_to highlight_tokens(truncate(h(e.event_title), :length => 255), @tokens), e.event_url %>
</dt> </dt>
<dd><span class="description"><%= highlight_tokens(e.event_description, @tokens) %></span> <dd><span class="description"><%= highlight_tokens(h(e.event_description), @tokens) %></span>
<span class="author"><%= format_time(e.event_datetime) %></span></dd> <span class="author"><%= format_time(e.event_datetime) %></span></dd>
<% end %> <% end %>
</dl> </dl>

View File

@ -15,9 +15,9 @@
<% entries.each do |entry| -%> <% entries.each do |entry| -%>
<tr class="time-entry <%= cycle("odd", "even") %>"> <tr class="time-entry <%= cycle("odd", "even") %>">
<td class="spent_on"><%= format_date(entry.spent_on) %></td> <td class="spent_on"><%= format_date(entry.spent_on) %></td>
<td class="user"><%=h entry.user %></td> <td class="user"><%= link_to_user(entry.user) %></td>
<td class="activity"><%=h entry.activity %></td> <td class="activity"><%=h entry.activity %></td>
<td class="project"><%=h entry.project %></td> <td class="project"><%= link_to_project(entry.project) %></td>
<td class="subject"> <td class="subject">
<% if entry.issue -%> <% if entry.issue -%>
<%= entry.issue.visible? ? link_to_issue(entry.issue, :truncate => 50) : "##{entry.issue.id}" -%> <%= entry.issue.visible? ? link_to_issue(entry.issue, :truncate => 50) : "##{entry.issue.id}" -%>

View File

@ -14,7 +14,7 @@
<tbody> <tbody>
<% for tracker in @trackers %> <% for tracker in @trackers %>
<tr class="<%= cycle("odd", "even") %>"> <tr class="<%= cycle("odd", "even") %>">
<td><%= link_to tracker.name, :action => 'edit', :id => tracker %></td> <td><%= link_to h(tracker.name), :action => 'edit', :id => tracker %></td>
<td align="center"><% unless tracker.workflows.count > 0 %><span class="icon icon-warning"><%= l(:text_tracker_no_workflow) %> (<%= link_to l(:button_edit), {:controller => 'workflows', :action => 'edit', :tracker_id => tracker} %>)</span><% end %></td> <td align="center"><% unless tracker.workflows.count > 0 %><span class="icon icon-warning"><%= l(:text_tracker_no_workflow) %> (<%= link_to l(:button_edit), {:controller => 'workflows', :action => 'edit', :tracker_id => tracker} %>)</span><% end %></td>
<td align="center" style="width:15%;"><%= reorder_links('tracker', {:action => 'edit', :id => tracker}) %></td> <td align="center" style="width:15%;"><%= reorder_links('tracker', {:action => 'edit', :id => tracker}) %></td>
<td class="buttons"> <td class="buttons">

View File

@ -7,4 +7,4 @@
<%= render_tabs user_settings_tabs %> <%= render_tabs user_settings_tabs %>
<% html_title(l(:label_user), @user.login, l(:label_administration)) -%> <% html_title(l(:label_user), h(@user.login), l(:label_administration)) -%>

View File

@ -70,4 +70,4 @@
<%= call_hook :view_account_right_bottom, :user => @user %> <%= call_hook :view_account_right_bottom, :user => @user %>
</div> </div>
<% html_title @user.name %> <% html_title h(@user.name) %>

View File

@ -15,7 +15,7 @@
<% counts.each do |count| %> <% counts.each do |count| %>
<tr> <tr>
<td width="130px" align="right" > <td width="130px" align="right" >
<%= link_to count[:group], {:controller => 'issues', <%= link_to h(count[:group]), {:controller => 'issues',
:action => 'index', :action => 'index',
:project_id => version.project, :project_id => version.project,
:set_filter => 1, :set_filter => 1,

View File

@ -5,7 +5,7 @@
<% else %> <% else %>
<div id="roadmap"> <div id="roadmap">
<% @versions.each do |version| %> <% @versions.each do |version| %>
<h3 class="version"><%= tag 'a', :name => version.name %><%= link_to_version version %></h3> <h3 class="version"><%= tag 'a', :name => h(version.name) %><%= link_to_version version %></h3>
<%= render :partial => 'versions/overview', :locals => {:version => version} %> <%= render :partial => 'versions/overview', :locals => {:version => version} %>
<%= render(:partial => "wiki/content", :locals => {:content => version.wiki_page.content}) if version.wiki_page %> <%= render(:partial => "wiki/content", :locals => {:content => version.wiki_page.content}) if version.wiki_page %>

View File

@ -46,4 +46,4 @@
<%= call_hook :view_versions_show_bottom, :version => @version %> <%= call_hook :view_versions_show_bottom, :version => @version %>
<% html_title @version.name %> <% html_title h(@version.name) %>

View File

@ -3,11 +3,11 @@
<%= link_to(l(:label_history), {:action => 'history', :id => @page.title}, :class => 'icon icon-history') %> <%= link_to(l(:label_history), {:action => 'history', :id => @page.title}, :class => 'icon icon-history') %>
</div> </div>
<h2><%= @page.pretty_title %></h2> <h2><%= h(@page.pretty_title) %></h2>
<p> <p>
<%= l(:label_version) %> <%= link_to @annotate.content.version, :action => 'show', :id => @page.title, :version => @annotate.content.version %> <%= l(:label_version) %> <%= link_to h(@annotate.content.version), :action => 'show', :id => @page.title, :version => @annotate.content.version %>
<em>(<%= @annotate.content.author ? @annotate.content.author.name : "anonyme" %>, <%= format_time(@annotate.content.updated_on) %>)</em> <em>(<%= h(@annotate.content.author ? @annotate.content.author.name : "anonyme") %>, <%= format_time(@annotate.content.updated_on) %>)</em>
</p> </p>
<% colors = Hash.new {|k,v| k[v] = (k.size % 12) } %> <% colors = Hash.new {|k,v| k[v] = (k.size % 12) } %>

View File

@ -12,7 +12,7 @@
<h3><%= format_date(date) %></h3> <h3><%= format_date(date) %></h3>
<ul> <ul>
<% @pages_by_date[date].each do |page| %> <% @pages_by_date[date].each do |page| %>
<li><%= link_to page.pretty_title, :action => 'show', :id => page.title, :project_id => page.project %></li> <li><%= link_to h(page.pretty_title), :action => 'show', :id => page.title, :project_id => page.project %></li>
<% end %> <% end %>
</ul> </ul>
<% end %> <% end %>

View File

@ -2,14 +2,14 @@
<%= link_to(l(:label_history), {:action => 'history', :id => @page.title}, :class => 'icon icon-history') %> <%= link_to(l(:label_history), {:action => 'history', :id => @page.title}, :class => 'icon icon-history') %>
</div> </div>
<h2><%= @page.pretty_title %></h2> <h2><%= h(@page.pretty_title) %></h2>
<p> <p>
<%= l(:label_version) %> <%= link_to @diff.content_from.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => @diff.content_from.version %> <%= l(:label_version) %> <%= link_to @diff.content_from.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => @diff.content_from.version %>
<em>(<%= @diff.content_from.author ? @diff.content_from.author.name : "anonyme" %>, <%= format_time(@diff.content_from.updated_on) %>)</em> <em>(<%= @diff.content_from.author ? link_to_user(@diff.content_from.author) : "anonyme" %>, <%= format_time(@diff.content_from.updated_on) %>)</em>
&#8594; &#8594;
<%= l(:label_version) %> <%= link_to @diff.content_to.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => @diff.content_to.version %>/<%= @page.content.version %> <%= l(:label_version) %> <%= link_to @diff.content_to.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => @diff.content_to.version %>/<%= @page.content.version %>
<em>(<%= @diff.content_to.author ? @diff.content_to.author.name : "anonyme" %>, <%= format_time(@diff.content_to.updated_on) %>)</em> <em>(<%= @diff.content_to.author ? link_to_user(@diff.content_to.author) : "anonyme" %>, <%= format_time(@diff.content_to.updated_on) %>)</em>
</p> </p>
<div class="text-diff"> <div class="text-diff">

View File

@ -26,4 +26,4 @@
<%= robot_exclusion_tag %> <%= robot_exclusion_tag %>
<% end %> <% end %>
<% html_title @page.pretty_title %> <% html_title h(@page.pretty_title) %>

View File

@ -20,13 +20,13 @@ h1:hover a.wiki-anchor, h2:hover a.wiki-anchor, h3:hover a.wiki-anchor { display
<strong><%= l(:label_index_by_title) %></strong> <strong><%= l(:label_index_by_title) %></strong>
<ul> <ul>
<% @pages.each do |page| %> <% @pages.each do |page| %>
<li><a href="#<%= page.title %>"><%= page.pretty_title %></a></li> <li><a href="#<%= h(page.title) %>"><%= h(page.pretty_title) %></a></li>
<% end %> <% end %>
</ul> </ul>
<% @pages.each do |page| %> <% @pages.each do |page| %>
<hr /> <hr />
<a name="<%= page.title %>" /> <a name="<%= h(page.title) %>" />
<%= textilizable page.content ,:text, :wiki_links => :anchor %> <%= textilizable page.content ,:text, :wiki_links => :anchor %>
<% end %> <% end %>

View File

@ -1,4 +1,4 @@
<h2><%= @page.pretty_title %></h2> <h2><%= h(@page.pretty_title) %></h2>
<h3><%= l(:label_history) %></h3> <h3><%= l(:label_history) %></h3>
@ -18,7 +18,7 @@
<% line_num = 1 %> <% line_num = 1 %>
<% @versions.each do |ver| %> <% @versions.each do |ver| %>
<tr class="wiki-page-version <%= cycle("odd", "even") %>"> <tr class="wiki-page-version <%= cycle("odd", "even") %>">
<td class="id"><%= link_to ver.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => ver.version %></td> <td class="id"><%= link_to h(ver.version), :action => 'show', :id => @page.title, :project_id => @page.project, :version => ver.version %></td>
<td class="checkbox"><%= radio_button_tag('version', ver.version, (line_num==1), :id => "cb-#{line_num}", :onclick => "$('cbto-#{line_num+1}').checked=true;") if show_diff && (line_num < @versions.size) %></td> <td class="checkbox"><%= radio_button_tag('version', ver.version, (line_num==1), :id => "cb-#{line_num}", :onclick => "$('cbto-#{line_num+1}').checked=true;") if show_diff && (line_num < @versions.size) %></td>
<td class="checkbox"><%= radio_button_tag('version_from', ver.version, (line_num==2), :id => "cbto-#{line_num}") if show_diff && (line_num > 1) %></td> <td class="checkbox"><%= radio_button_tag('version_from', ver.version, (line_num==2), :id => "cbto-#{line_num}") if show_diff && (line_num > 1) %></td>
<td class="updated_on"><%= format_time(ver.created_at) %></td> <td class="updated_on"><%= format_time(ver.created_at) %></td>

View File

@ -1,4 +1,4 @@
<h2><%= l(:button_rename) %>: <%= @original_title %></h2> <h2><%= l(:button_rename) %>: <%= h(@original_title) %></h2>
<%= error_messages_for 'page' %> <%= error_messages_for 'page' %>

View File

@ -21,7 +21,7 @@
<%= link_to((l(:label_next) + ' &#187;'), :action => 'show', :id => @page.title, :project_id => @page.project, :version => (@content.version + 1)) + " - " if @content.version < @page.content.version %> <%= link_to((l(:label_next) + ' &#187;'), :action => 'show', :id => @page.title, :project_id => @page.project, :version => (@content.version + 1)) + " - " if @content.version < @page.content.version %>
<%= link_to(l(:label_current_version), :action => 'show', :id => @page.title, :project_id => @page.project) %> <%= link_to(l(:label_current_version), :action => 'show', :id => @page.title, :project_id => @page.project) %>
<br /> <br />
<em><%= @content.author ? @content.author.name : "anonyme" %>, <%= format_time(@content.updated_on) %> </em><br /> <em><%= @content.author ? link_to_user(@content.author) : "anonyme" %>, <%= format_time(@content.updated_on) %> </em><br />
<%=h @content.comments %> <%=h @content.comments %>
</p> </p>
<hr /> <hr />
@ -61,4 +61,4 @@
<%= render :partial => 'wiki/sidebar' %> <%= render :partial => 'wiki/sidebar' %>
<% end %> <% end %>
<% html_title @page.pretty_title %> <% html_title h(@page.pretty_title) %>

View File

@ -1,7 +1,7 @@
<h2><%=l(:label_confirmation)%></h2> <h2><%=l(:label_confirmation)%></h2>
<div class="box"><center> <div class="box"><center>
<p><strong><%= @project.name %></strong><br /><%=l(:text_wiki_destroy_confirmation)%></p> <p><strong><%= h(@project.name) %></strong><br /><%=l(:text_wiki_destroy_confirmation)%></p>
<% form_tag({:controller => 'wikis', :action => 'destroy', :id => @project}) do %> <% form_tag({:controller => 'wikis', :action => 'destroy', :id => @project}) do %>
<%= hidden_field_tag "confirm", 1 %> <%= hidden_field_tag "confirm", 1 %>