From 821f9eb390aa9a4be9909c8a276626eb6188fcdf Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 25 Oct 2009 13:28:36 +0000
Subject: [PATCH] HTML escaping (#4106).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2979 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/views/projects/settings/_versions.rhtml | 2 +-
 app/views/roles/edit.rhtml                  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/views/projects/settings/_versions.rhtml b/app/views/projects/settings/_versions.rhtml
index 79d92d81e..1f66dec43 100644
--- a/app/views/projects/settings/_versions.rhtml
+++ b/app/views/projects/settings/_versions.rhtml
@@ -14,7 +14,7 @@
     <td><%= link_to h(version.name), :controller => 'versions', :action => 'show', :id => version %></td>
     <td align="center"><%= format_date(version.effective_date) %></td>
     <td><%=h version.description %></td>
-    <td><%= link_to(version.wiki_page_title, :controller => 'wiki', :page => Wiki.titleize(version.wiki_page_title)) unless version.wiki_page_title.blank? || @project.wiki.nil? %></td>
+    <td><%= link_to(h(version.wiki_page_title), :controller => 'wiki', :page => Wiki.titleize(version.wiki_page_title)) unless version.wiki_page_title.blank? || @project.wiki.nil? %></td>
     <td align="center"><%= link_to_if_authorized l(:button_edit), { :controller => 'versions', :action => 'edit', :id => version }, :class => 'icon icon-edit' %></td>
     <td align="center"><%= link_to_if_authorized l(:button_delete), {:controller => 'versions', :action => 'destroy', :id => version}, :confirm => l(:text_are_you_sure), :method => :post, :class => 'icon icon-del' %></td>
     </tr>
diff --git a/app/views/roles/edit.rhtml b/app/views/roles/edit.rhtml
index df3a4f320..61fcc633a 100644
--- a/app/views/roles/edit.rhtml
+++ b/app/views/roles/edit.rhtml
@@ -1,4 +1,4 @@
-<h2><%= link_to l(:label_role_plural), :controller => 'roles', :action => 'index' %> &#187; <%= @role.name %></h2> 
+<h2><%= link_to l(:label_role_plural), :controller => 'roles', :action => 'index' %> &#187; <%=h @role.name %></h2> 
 
 <% labelled_tabular_form_for :role, @role, :url => { :action => 'edit' }, :html => {:id => 'role_form'} do |f| %>
 <%= render :partial => 'form', :locals => { :f => f } %>
-- 
2.39.5