diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2006-12-17 08:10:18 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2006-12-17 08:10:18 +0000 |
| commit | 2b86ef8e28d0e5376197391c29a8fb302f14820f (patch) | |
| tree | e5a80fb24158b350507c28021418a19aa7084991 /app/views/issues/show.rhtml | |
| parent | 3e28dc669b014db811c0de673a090adf54f42bc1 (diff) | |
| download | redmine-2b86ef8e28d0e5376197391c29a8fb302f14820f.tar.gz redmine-2b86ef8e28d0e5376197391c29a8fb302f14820f.zip | |
various modifications to prevent xss
- validation of names and labels against /^[\w\s\'\-]*$/i
- html entities encoding
git-svn-id: http://redmine.rubyforge.org/svn/trunk@99 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/views/issues/show.rhtml')
| -rw-r--r-- | app/views/issues/show.rhtml | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/app/views/issues/show.rhtml b/app/views/issues/show.rhtml index f01612aec..93b8cd008 100644 --- a/app/views/issues/show.rhtml +++ b/app/views/issues/show.rhtml @@ -2,7 +2,7 @@ <%= l(:label_export_to) %><%= link_to 'PDF', {:action => 'export_pdf', :id => @issue}, :class => 'pic picPdf' %>
</div>
-<h2><%= @issue.tracker.name %> #<%= @issue.id %> - <%= @issue.subject %></h2>
+<h2><%= @issue.tracker.name %> #<%= @issue.id %> - <%=h @issue.subject %></h2>
<div class="box">
<table width="100%">
@@ -12,7 +12,7 @@ </tr>
<tr>
<td><b><%=l(:field_assigned_to)%> :</b></td><td><%= @issue.assigned_to ? @issue.assigned_to.name : "-" %></td>
- <td><b><%=l(:field_category)%> :</b></td><td><%= @issue.category ? @issue.category.name : "-" %></td>
+ <td><b><%=l(:field_category)%> :</b></td><td><%=h @issue.category ? @issue.category.name : "-" %></td>
</tr>
<tr>
<td><b><%=l(:field_author)%> :</b></td><td><%= link_to_user @issue.author %></td>
@@ -29,7 +29,7 @@ <tr>
<% n = 0
for custom_value in @custom_values %>
- <td><b><%= custom_value.custom_field.name %> :</b></td><td><%= show_value custom_value %></td>
+ <td><b><%= custom_value.custom_field.name %> :</b></td><td><%=h show_value custom_value %></td>
<% n = n + 1
if (n > 1)
n = 0 %>
|