From 315ec5f65cd6f18d313d06de96f610ffea92866a Mon Sep 17 00:00:00 2001
From: Eric Davis <edavis@littlestreamsoftware.com>
Date: Wed, 11 May 2011 15:39:07 -0700
Subject: [PATCH] HTML escape some user values

---
 app/views/my/_sidebar.rhtml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/views/my/_sidebar.rhtml b/app/views/my/_sidebar.rhtml
index e7689c13..cc4a7850 100644
--- a/app/views/my/_sidebar.rhtml
+++ b/app/views/my/_sidebar.rhtml
@@ -1,6 +1,6 @@
 <h3><%=l(:label_my_account)%></h3>
 
-<p><%=l(:field_login)%>: <strong><%= link_to @user.login, user_path(@user) %></strong><br />
+<p><%=l(:field_login)%>: <strong><%= link_to(h(@user.login), user_path(@user) %></strong><br />
 <%=l(:field_created_on)%>: <%= format_time(@user.created_on) %></p>
 
 
@@ -19,7 +19,7 @@
 <h4><%= l(:label_api_access_key) %></h4>
 <div>
   <%= link_to_function(l(:button_show), "$('api-access-key').toggle();")%>
-  <pre id='api-access-key' class='autoscroll'><%= @user.api_key %></pre>
+  <pre id='api-access-key' class='autoscroll'><%= h(@user.api_key) %></pre>
 </div>
 <%= javascript_tag("$('api-access-key').hide();") %>
 <p>