diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2006-12-17 08:10:18 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2006-12-17 08:10:18 +0000 |
| commit | 2b86ef8e28d0e5376197391c29a8fb302f14820f (patch) | |
| tree | e5a80fb24158b350507c28021418a19aa7084991 /app/views/issues | |
| parent | 3e28dc669b014db811c0de673a090adf54f42bc1 (diff) | |
| download | redmine-2b86ef8e28d0e5376197391c29a8fb302f14820f.tar.gz redmine-2b86ef8e28d0e5376197391c29a8fb302f14820f.zip | |
various modifications to prevent xss
- validation of names and labels against /^[\w\s\'\-]*$/i
- html entities encoding
git-svn-id: http://redmine.rubyforge.org/svn/trunk@99 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/views/issues')
| -rw-r--r-- | app/views/issues/_history.rhtml | 2 | ||||
| -rw-r--r-- | app/views/issues/_list_simple.rhtml | 2 | ||||
| -rw-r--r-- | app/views/issues/change_status.rhtml | 2 | ||||
| -rw-r--r-- | app/views/issues/show.rhtml | 6 |
4 files changed, 6 insertions, 6 deletions
diff --git a/app/views/issues/_history.rhtml b/app/views/issues/_history.rhtml index 6dc2a84be..da58b7d6c 100644 --- a/app/views/issues/_history.rhtml +++ b/app/views/issues/_history.rhtml @@ -6,6 +6,6 @@ <% end %>
</ul>
<% if journal.notes? %>
- <%= simple_format auto_link journal.notes %>
+ <%= simple_format auto_link h(journal.notes) %>
<% end %>
<% end %>
diff --git a/app/views/issues/_list_simple.rhtml b/app/views/issues/_list_simple.rhtml index 94b63d613..cd2355376 100644 --- a/app/views/issues/_list_simple.rhtml +++ b/app/views/issues/_list_simple.rhtml @@ -15,7 +15,7 @@ <td><p class="small"><%= issue.project.name %> - <%= issue.tracker.name %><br /> <%= issue.status.name %> - <%= format_time(issue.updated_on) %></p></td>
<td>
- <p class="small"><%= link_to issue.subject, :controller => 'issues', :action => 'show', :id => issue %></p>
+ <p class="small"><%= link_to h(issue.subject), :controller => 'issues', :action => 'show', :id => issue %></p>
</td> </tr> <% end %> diff --git a/app/views/issues/change_status.rhtml b/app/views/issues/change_status.rhtml index 2ef87183d..38ca82ea2 100644 --- a/app/views/issues/change_status.rhtml +++ b/app/views/issues/change_status.rhtml @@ -1,4 +1,4 @@ -<h2><%=l(:label_issue)%> #<%= @issue.id %>: <%= @issue.subject %></h2> +<h2><%=l(:label_issue)%> #<%= @issue.id %>: <%=h @issue.subject %></h2> <%= error_messages_for 'issue' %>
<%= start_form_tag({:action => 'change_status', :id => @issue}, :class => "tabular") %>
diff --git a/app/views/issues/show.rhtml b/app/views/issues/show.rhtml index f01612aec..93b8cd008 100644 --- a/app/views/issues/show.rhtml +++ b/app/views/issues/show.rhtml @@ -2,7 +2,7 @@ <%= l(:label_export_to) %><%= link_to 'PDF', {:action => 'export_pdf', :id => @issue}, :class => 'pic picPdf' %>
</div>
-<h2><%= @issue.tracker.name %> #<%= @issue.id %> - <%= @issue.subject %></h2>
+<h2><%= @issue.tracker.name %> #<%= @issue.id %> - <%=h @issue.subject %></h2>
<div class="box">
<table width="100%">
@@ -12,7 +12,7 @@ </tr>
<tr>
<td><b><%=l(:field_assigned_to)%> :</b></td><td><%= @issue.assigned_to ? @issue.assigned_to.name : "-" %></td>
- <td><b><%=l(:field_category)%> :</b></td><td><%= @issue.category ? @issue.category.name : "-" %></td>
+ <td><b><%=l(:field_category)%> :</b></td><td><%=h @issue.category ? @issue.category.name : "-" %></td>
</tr>
<tr>
<td><b><%=l(:field_author)%> :</b></td><td><%= link_to_user @issue.author %></td>
@@ -29,7 +29,7 @@ <tr>
<% n = 0
for custom_value in @custom_values %>
- <td><b><%= custom_value.custom_field.name %> :</b></td><td><%= show_value custom_value %></td>
+ <td><b><%= custom_value.custom_field.name %> :</b></td><td><%=h show_value custom_value %></td>
<% n = n + 1
if (n > 1)
n = 0 %>
|