From 9703f576d96c113f9c73a87f85ad7da3241525b2 2008-07-02 17:27:16
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: 2008-07-02 17:27:16
Subject: [PATCH] Escapes HTML tags.

git-svn-id: http://redmine.rubyforge.org/svn/trunk@1612 e93f8b46-1217-0410-a6f0-8f06a7374b81

---

diff --git a/app/views/account/show.rhtml b/app/views/account/show.rhtml
index 97212b3..2d0731b 100644
--- a/app/views/account/show.rhtml
+++ b/app/views/account/show.rhtml
@@ -1,7 +1,7 @@
 <h2><%=h @user.name %></h2>
 
 <p>
-<%= mail_to @user.mail unless @user.pref.hide_mail %>
+<%= mail_to(h(@user.mail)) unless @user.pref.hide_mail %>
 <ul>
     <li><%=l(:label_registered_on)%>: <%= format_date(@user.created_on) %></li>
 <% for custom_value in @custom_values %>
@@ -16,8 +16,8 @@
 <h3><%=l(:label_project_plural)%></h3>
 <ul>
 <% for membership in @memberships %>
-	<li><%= link_to membership.project.name, :controller => 'projects', :action => 'show', :id => membership.project %>
-    (<%= membership.role.name %>, <%= format_date(membership.created_on) %>)</li>
+	<li><%= link_to(h(membership.project.name), :controller => 'projects', :action => 'show', :id => membership.project) %>
+    (<%=h membership.role.name %>, <%= format_date(membership.created_on) %>)</li>
 <% end %>
 </ul>
 <% end %>
diff --git a/app/views/projects/show.rhtml b/app/views/projects/show.rhtml
index 6c82c80..d058ecf 100644
--- a/app/views/projects/show.rhtml
+++ b/app/views/projects/show.rhtml
@@ -3,7 +3,7 @@
 <div class="splitcontentleft">
 	<%= textilizable @project.description %>	
 	<ul>
-	<% unless @project.homepage.blank? %><li><%=l(:field_homepage)%>: <%= auto_link @project.homepage %></li><% end %>
+	<% unless @project.homepage.blank? %><li><%=l(:field_homepage)%>: <%= auto_link(h(@project.homepage)) %></li><% end %>
     <% if @subprojects.any? %>
  	<li><%=l(:label_subproject_plural)%>: <%= @subprojects.collect{|p| link_to(h(p.name), :action => 'show', :id => p)}.join(", ") %></li>
     <% end %>
diff --git a/app/views/users/list.rhtml b/app/views/users/list.rhtml
index d89672d..a6b0e54 100644
--- a/app/views/users/list.rhtml
+++ b/app/views/users/list.rhtml
@@ -26,10 +26,10 @@
   <tbody>
 <% for user in @users -%>
   <tr class="user <%= cycle("odd", "even") %> <%= %w(anon active registered locked)[user.status] %>">
-	<td class="username"><%= link_to user.login, :action => 'edit', :id => user %></td>
-	<td class="firstname"><%= user.firstname %></td>
-	<td class="lastname"><%= user.lastname %></td>
-	<td class="email"><%= user.mail %></td>
+	<td class="username"><%= link_to h(user.login), :action => 'edit', :id => user %></td>
+	<td class="firstname"><%= h(user.firstname) %></td>
+	<td class="lastname"><%= h(user.lastname) %></td>
+	<td class="email"><%= h(user.mail) %></td>
 	<td align="center"><%= image_tag('true.png') if user.admin? %></td>
 	<td class="created_on" align="center"><%= format_time(user.created_on) %></td>
 	<td class="last_login_on" align="center"><%= format_time(user.last_login_on) unless user.last_login_on.nil? %></td>
diff --git a/app/views/welcome/index.rhtml b/app/views/welcome/index.rhtml
index 8c25897..855248c 100644
--- a/app/views/welcome/index.rhtml
+++ b/app/views/welcome/index.rhtml
@@ -18,7 +18,7 @@
 		<ul>
 		<% for project in @projects %>
 			<li>
-			<%= link_to project.name, :controller => 'projects', :action => 'show', :id => project %> (<%= format_time(project.created_on) %>)
+			<%= link_to h(project.name), :controller => 'projects', :action => 'show', :id => project %> (<%= format_time(project.created_on) %>)
 			<%= textilizable project.short_description, :project => project %>
 			</li>
 		<% end %>