Escape flash messages (#19117).

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Tue, 17 Feb 2015 17:47:36 +0000 (17:47 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Tue, 17 Feb 2015 17:47:36 +0000 (17:47 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Tue, 17 Feb 2015 17:47:36 +0000 (17:47 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Tue, 17 Feb 2015 17:47:36 +0000 (17:47 +0000)
diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb

index 2ad7af61096fa605e1efcceda806ee6c2ab67d28..57e08c3485cba77a090f867b48fa9cd4b32b7f3c 100644 (file)
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -293,7 +293,7 @@ class AccountController < ApplicationController
      token = Token.new(:user => user, :action => "register")
      if user.save and token.save
        Mailer.register(token).deliver
-      flash[:notice] = l(:notice_account_register_done, :email => user.mail)
+      flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail))
        redirect_to signin_path
      else
        yield if block_given?
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb

index f3d0222e06ea86e7a15c225e03c3972bedb4df74..d7a40f9e777f0bef65fc5f9baa7fd733c047524e 100644 (file)
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -51,7 +51,7 @@ class AdminController < ApplicationController
          Redmine::DefaultData::Loader::load(params[:lang])
          flash[:notice] = l(:notice_default_data_loaded)
        rescue Exception => e
-        flash[:error] = l(:error_can_t_load_default_data, e.message)
+        flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message))
        end
      end
      redirect_to admin_path
@@ -63,9 +63,9 @@ class AdminController < ApplicationController
      ActionMailer::Base.raise_delivery_errors = true
      begin
        @test = Mailer.test_email(User.current).deliver
-      flash[:notice] = l(:notice_email_sent, User.current.mail)
+      flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail))
      rescue Exception => e
-      flash[:error] = l(:notice_email_error, Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup))
+      flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)))
      end
      ActionMailer::Base.raise_delivery_errors = raise_delivery_errors
      redirect_to settings_path(:tab => 'notifications')
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Tue, 17 Feb 2015 17:47:36 +0000 (17:47 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Tue, 17 Feb 2015 17:47:36 +0000 (17:47 +0000)
app/controllers/account_controller.rb		patch \| blob \| history
app/controllers/admin_controller.rb		patch \| blob \| history