Commit c356065816ae96a4817b247fb4cfa217513ddfd0
1 parent
b59e4735
Exists in
master
and in
29 other branches
Escape possible HTML content in a lot of places
(ActionItem1476)
Showing
9 changed files
with
11 additions
and
11 deletions
Show diff stats
app/helpers/application_helper.rb
| ... | ... | @@ -459,7 +459,7 @@ module ApplicationHelper |
| 459 | 459 | # #profile_image) or only its name below. |
| 460 | 460 | def profile_add_link( profile, image=false, size=:portrait, tag='li') |
| 461 | 461 | the_class = profile.members.include?(user) ? 'profile_member' : '' |
| 462 | - name = profile.short_name | |
| 462 | + name = h(profile.short_name) | |
| 463 | 463 | if image |
| 464 | 464 | display = content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) + |
| 465 | 465 | content_tag( 'span', name, :class => 'org' ) + |
| ... | ... | @@ -492,7 +492,7 @@ module ApplicationHelper |
| 492 | 492 | content_tag tag, |
| 493 | 493 | link_to( |
| 494 | 494 | content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) + |
| 495 | - content_tag( 'span', name, :class => ( profile.class == Person ? 'fn' : 'org' ) ) + | |
| 495 | + content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) + | |
| 496 | 496 | city + profile_sex_icon( profile ) + profile_cat_icons( profile ), |
| 497 | 497 | profile.url, |
| 498 | 498 | :onclick => 'document.location.href = this.href', # work-arround for ie. |
| ... | ... | @@ -505,7 +505,7 @@ module ApplicationHelper |
| 505 | 505 | # displays a link to the community homepage with its image (as generated by |
| 506 | 506 | # #profile_image) and its name and number of members beside it. |
| 507 | 507 | def community_image_link( profile, size=:portrait, tag='li' ) |
| 508 | - name = profile.name | |
| 508 | + name = h(profile.name) | |
| 509 | 509 | content_tag tag, |
| 510 | 510 | link_to( |
| 511 | 511 | content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) + | ... | ... |
app/helpers/content_viewer_helper.rb
| ... | ... | @@ -14,7 +14,7 @@ module ContentViewerHelper |
| 14 | 14 | def article_title(article, args = {}) |
| 15 | 15 | title = article.display_title if article.kind_of?(UploadedFile) && article.image? |
| 16 | 16 | title = article.title if title.blank? |
| 17 | - title = content_tag('h1', title, :class => 'title') | |
| 17 | + title = content_tag('h1', h(title), :class => 'title') | |
| 18 | 18 | if article.belongs_to_blog? |
| 19 | 19 | unless args[:no_link] |
| 20 | 20 | title = content_tag('h1', link_to(article.name, article.url), :class => 'title') | ... | ... |
app/helpers/tags_helper.rb
| ... | ... | @@ -57,7 +57,7 @@ module TagsHelper |
| 57 | 57 | display_count = options[:show_count] ? "<small><sup>(#{count})</sup></small>" : "" |
| 58 | 58 | link_to tag + display_count, destination, :style => style |
| 59 | 59 | else |
| 60 | - link_to tag , destination, :style => style, | |
| 60 | + link_to h(tag) , destination, :style => style, | |
| 61 | 61 | :title => n_( 'one item', '%d items', count ) % count |
| 62 | 62 | end |
| 63 | 63 | ... | ... |
app/views/blocks/profile_image.rhtml
app/views/blocks/profile_info.rhtml
| 1 | 1 | <div class="vcard"> |
| 2 | 2 | |
| 3 | -<h2 class="<%= profile.class == Person ? 'fn' : 'org' %>"><%= block.owner.short_name %></h2> | |
| 3 | +<h2 class="<%= profile.class == Person ? 'fn' : 'org' %>"><%= h block.owner.short_name %></h2> | |
| 4 | 4 | |
| 5 | 5 | <div class="profile-info-picture"> |
| 6 | 6 | <div class="profile-info-picture-inner1"> | ... | ... |
app/views/layouts/application-ng.rhtml
| 1 | 1 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| 2 | 2 | <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<%= html_language %>" lang="<%= html_language %>"> |
| 3 | 3 | <head> |
| 4 | - <title><%= page_title %></title> | |
| 4 | + <title><%= h page_title %></title> | |
| 5 | 5 | <%= meta_tags_for_article(@page) %> |
| 6 | 6 | <!--<meta http-equiv="refresh" content="1"/>--> |
| 7 | 7 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> | ... | ... |
app/views/layouts/application.rhtml
| 1 | 1 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| 2 | 2 | <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<%= html_language %>" lang="<%= html_language %>"> |
| 3 | 3 | <head> |
| 4 | - <title><%= page_title %></title> | |
| 4 | + <title><%= h page_title %></title> | |
| 5 | 5 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
| 6 | 6 | <meta name="description" content="<%= @environment.name %>" /> |
| 7 | 7 | <meta name="keywords" content="Noosfero, Community, Open Source" /> | ... | ... |
app/views/profile/index.rhtml
app/views/profile_editor/index.rhtml
| 1 | 1 | <div id="profile-editor-index"> |
| 2 | 2 | |
| 3 | 3 | <h1 class="block-title"> |
| 4 | - <span class='control-panel-title'><%= profile.short_name %></span> | |
| 4 | + <span class='control-panel-title'><%= h profile.short_name %></span> | |
| 5 | 5 | <span class='control-panel-sep'>–</span> |
| 6 | 6 | <span class='control-panel-subtitle'><%= _('Control Panel') %></span> |
| 7 | 7 | </h1> | ... | ... |