Escape possible HTML content in a lot of places

(ActionItem1476)

Escape possible HTML content in a lot of places
(ActionItem1476)
Antonio Terceiro
1 parent b59e4735
Showing 9 changed files with 11 additions and 11 deletions Show diff stats
app/helpers/application_helper.rb
app/helpers/content_viewer_helper.rb
app/helpers/tags_helper.rb
app/views/blocks/profile_image.rhtml
app/views/blocks/profile_info.rhtml
app/views/layouts/application-ng.rhtml
app/views/layouts/application.rhtml
app/views/profile/index.rhtml
app/views/profile_editor/index.rhtml
@@ -459,7 +459,7 @@ module ApplicationHelper
   # #profile_image) or only its name below.
   def profile_add_link( profile, image=false, size=:portrait, tag='li')
     the_class = profile.members.include?(user) ? 'profile_member' : ''
-    name = profile.short_name
+    name = h(profile.short_name)
     if image
       display = content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +
                 content_tag( 'span', name, :class => 'org' ) +
@@ -492,7 +492,7 @@ module ApplicationHelper
     content_tag tag,
         link_to(
             content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +
-            content_tag( 'span', name, :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
+            content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
             city + profile_sex_icon( profile ) + profile_cat_icons( profile ),
             profile.url,
             :onclick => 'document.location.href = this.href', # work-arround for ie.
@@ -505,7 +505,7 @@ module ApplicationHelper
   # displays a link to the community homepage with its image (as generated by
   # #profile_image) and its name and number of members beside it.
   def community_image_link( profile, size=:portrait, tag='li' )
-    name = profile.name
+    name = h(profile.name)
     content_tag tag,
         link_to(
             content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +
@@ -14,7 +14,7 @@ module ContentViewerHelper
   def article_title(article, args = {})
     title = article.display_title if article.kind_of?(UploadedFile) && article.image?
     title = article.title if title.blank?
-    title = content_tag('h1', title, :class => 'title')
+    title = content_tag('h1', h(title), :class => 'title')
     if article.belongs_to_blog?
       unless args[:no_link]
         title = content_tag('h1', link_to(article.name, article.url), :class => 'title')
@@ -57,7 +57,7 @@ module TagsHelper
         display_count = options[:show_count] ? "<small><sup>(#{count})</sup></small>" : ""
         link_to tag + display_count, destination, :style => style
       else
-        link_to tag , destination, :style => style,
+        link_to h(tag) , destination, :style => style,
           :title => n_( 'one item', '%d items', count ) % count
       end
@@ -11,7 +11,7 @@
 </div>
 <% if show_name %>
-  <p><%= block.owner.short_name %></p>
+  <p><%= h block.owner.short_name %></p>
 <% end %>
 <% if !user.nil? and user.has_permission?('edit_profile', profile) %>
 <div class="vcard">
-<h2 class="<%= profile.class == Person ? 'fn' : 'org' %>"><%= block.owner.short_name %></h2>
+<h2 class="<%= profile.class == Person ? 'fn' : 'org' %>"><%= h block.owner.short_name %></h2>
 <div class="profile-info-picture">
   <div class="profile-info-picture-inner1">
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<%= html_language %>" lang="<%= html_language %>">
   <head>
-    <title><%= page_title %></title>
+    <title><%= h page_title %></title>
     <%= meta_tags_for_article(@page) %>
     <!--<meta http-equiv="refresh" content="1"/>-->
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<%= html_language %>" lang="<%= html_language %>">
   <head>
-    <title><%= page_title %></title>
+    <title><%= h page_title %></title>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     <meta name="description" content="<%= @environment.name %>" />
     <meta name="keywords" content="Noosfero, Community, Open Source" />
 <%= render :partial => 'shared/disabled_enterprise' %>
-<h1><%= profile.name %></h1>
+<h1><%= h profile.name %></h1>
 <% if @action %>
   <%= render :partial => 'private_profile' %>
 <div id="profile-editor-index">
   <h1 class="block-title">
-    <span class='control-panel-title'><%= profile.short_name %></span>
+    <span class='control-panel-title'><%= h profile.short_name %></span>
     <span class='control-panel-sep'>&#150;</span>
     <span class='control-panel-subtitle'><%= _('Control Panel') %></span>
   </h1>
	@@ -459,7 +459,7 @@ module ApplicationHelper		@@ -459,7 +459,7 @@ module ApplicationHelper
459	# #profile_image) or only its name below.	459	# #profile_image) or only its name below.
460	def profile_add_link( profile, image=false, size=:portrait, tag='li')	460	def profile_add_link( profile, image=false, size=:portrait, tag='li')
461	the_class = profile.members.include?(user) ? 'profile_member' : ''	461	the_class = profile.members.include?(user) ? 'profile_member' : ''
462	- name = profile.short_name	462	+ name = h(profile.short_name)
463	if image	463	if image
464	display = content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +	464	display = content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +
465	content_tag( 'span', name, :class => 'org' ) +	465	content_tag( 'span', name, :class => 'org' ) +
	@@ -492,7 +492,7 @@ module ApplicationHelper		@@ -492,7 +492,7 @@ module ApplicationHelper
492	content_tag tag,	492	content_tag tag,
493	link_to(	493	link_to(
494	content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +	494	content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +
495	- content_tag( 'span', name, :class => ( profile.class == Person ? 'fn' : 'org' ) ) +	495	+ content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
496	city + profile_sex_icon( profile ) + profile_cat_icons( profile ),	496	city + profile_sex_icon( profile ) + profile_cat_icons( profile ),
497	profile.url,	497	profile.url,
498	:onclick => 'document.location.href = this.href', # work-arround for ie.	498	:onclick => 'document.location.href = this.href', # work-arround for ie.
	@@ -505,7 +505,7 @@ module ApplicationHelper		@@ -505,7 +505,7 @@ module ApplicationHelper
505	# displays a link to the community homepage with its image (as generated by	505	# displays a link to the community homepage with its image (as generated by
506	# #profile_image) and its name and number of members beside it.	506	# #profile_image) and its name and number of members beside it.
507	def community_image_link( profile, size=:portrait, tag='li' )	507	def community_image_link( profile, size=:portrait, tag='li' )
508	- name = profile.name	508	+ name = h(profile.name)
509	content_tag tag,	509	content_tag tag,
510	link_to(	510	link_to(
511	content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +	511	content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +
	@@ -14,7 +14,7 @@ module ContentViewerHelper		@@ -14,7 +14,7 @@ module ContentViewerHelper
14	def article_title(article, args = {})	14	def article_title(article, args = {})
15	title = article.display_title if article.kind_of?(UploadedFile) && article.image?	15	title = article.display_title if article.kind_of?(UploadedFile) && article.image?
16	title = article.title if title.blank?	16	title = article.title if title.blank?
17	- title = content_tag('h1', title, :class => 'title')	17	+ title = content_tag('h1', h(title), :class => 'title')
18	if article.belongs_to_blog?	18	if article.belongs_to_blog?
19	unless args[:no_link]	19	unless args[:no_link]
20	title = content_tag('h1', link_to(article.name, article.url), :class => 'title')	20	title = content_tag('h1', link_to(article.name, article.url), :class => 'title')
	@@ -57,7 +57,7 @@ module TagsHelper		@@ -57,7 +57,7 @@ module TagsHelper
57	display_count = options[:show_count] ? "<small><sup>(#{count})</sup></small>" : ""	57	display_count = options[:show_count] ? "<small><sup>(#{count})</sup></small>" : ""
58	link_to tag + display_count, destination, :style => style	58	link_to tag + display_count, destination, :style => style
59	else	59	else
60	- link_to tag , destination, :style => style,	60	+ link_to h(tag) , destination, :style => style,
61	:title => n_( 'one item', '%d items', count ) % count	61	:title => n_( 'one item', '%d items', count ) % count
62	end	62	end
63		63
	@@ -11,7 +11,7 @@		@@ -11,7 +11,7 @@
11	</div>	11	</div>
12		12
13	<% if show_name %>	13	<% if show_name %>
14	- <p><%= block.owner.short_name %></p>	14	+ <p><%= h block.owner.short_name %></p>
15	<% end %>	15	<% end %>
16		16
17	<% if !user.nil? and user.has_permission?('edit_profile', profile) %>	17	<% if !user.nil? and user.has_permission?('edit_profile', profile) %>
1	<div class="vcard">	1	<div class="vcard">
2		2
3	-<h2 class="<%= profile.class == Person ? 'fn' : 'org' %>"><%= block.owner.short_name %></h2>	3	+<h2 class="<%= profile.class == Person ? 'fn' : 'org' %>"><%= h block.owner.short_name %></h2>
4		4
5	<div class="profile-info-picture">	5	<div class="profile-info-picture">
6	<div class="profile-info-picture-inner1">	6	<div class="profile-info-picture-inner1">
1	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">	1	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2	<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<%= html_language %>" lang="<%= html_language %>">	2	<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<%= html_language %>" lang="<%= html_language %>">
3	<head>	3	<head>
4	- <title><%= page_title %></title>	4	+ <title><%= h page_title %></title>
5	<%= meta_tags_for_article(@page) %>	5	<%= meta_tags_for_article(@page) %>
6	<!--<meta http-equiv="refresh" content="1"/>-->	6	<!--<meta http-equiv="refresh" content="1"/>-->
7	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>	7	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
1	<%= render :partial => 'shared/disabled_enterprise' %>	1	<%= render :partial => 'shared/disabled_enterprise' %>
2		2
3	-<h1><%= profile.name %></h1>	3	+<h1><%= h profile.name %></h1>
4		4
5	<% if @action %>	5	<% if @action %>
6	<%= render :partial => 'private_profile' %>	6	<%= render :partial => 'private_profile' %>
1	<div id="profile-editor-index">	1	<div id="profile-editor-index">
2		2
3	<h1 class="block-title">	3	<h1 class="block-title">
4	- <span class='control-panel-title'><%= profile.short_name %></span>	4	+ <span class='control-panel-title'><%= h profile.short_name %></span>
5	<span class='control-panel-sep'></span>	5	<span class='control-panel-sep'></span>
6	<span class='control-panel-subtitle'><%= _('Control Panel') %></span>	6	<span class='control-panel-subtitle'><%= _('Control Panel') %></span>
7	</h1>	7	</h1>