From: Toshi MARUYAMA <marutosijp2@yahoo.co.jp>
Date: Thu, 12 May 2011 00:26:16 +0000 (+0000)
Subject: HTML escape some user values in account sidebar (#8345).
X-Git-Tag: 1.2.0~146
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=1d78dd8324583686830ab25d77d0a9f2b8543564;p=redmine.git

HTML escape some user values in account sidebar (#8345).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@5747 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/views/my/_sidebar.rhtml b/app/views/my/_sidebar.rhtml
index e7689c138..cc4a7850f 100644
--- a/app/views/my/_sidebar.rhtml
+++ b/app/views/my/_sidebar.rhtml
@@ -1,6 +1,6 @@
 <h3><%=l(:label_my_account)%></h3>
 
-<p><%=l(:field_login)%>: <strong><%= link_to @user.login, user_path(@user) %></strong><br />
+<p><%=l(:field_login)%>: <strong><%= link_to(h(@user.login), user_path(@user) %></strong><br />
 <%=l(:field_created_on)%>: <%= format_time(@user.created_on) %></p>
 
 
@@ -19,7 +19,7 @@
 <h4><%= l(:label_api_access_key) %></h4>
 <div>
   <%= link_to_function(l(:button_show), "$('api-access-key').toggle();")%>
-  <pre id='api-access-key' class='autoscroll'><%= @user.api_key %></pre>
+  <pre id='api-access-key' class='autoscroll'><%= h(@user.api_key) %></pre>
 </div>
 <%= javascript_tag("$('api-access-key').hide();") %>
 <p>