HTML escape some user values in account sidebar (#8345).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@5747 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Toshi MARUYAMA <marutosijp2@yahoo.co.jp> 2011-05-12 00:26:16 +0000
committer: Toshi MARUYAMA <marutosijp2@yahoo.co.jp> 2011-05-12 00:26:16 +0000
commit: 1d78dd8324583686830ab25d77d0a9f2b8543564 (patch)
tree: fb5d2f529aeb3bba8c2df2f8b5d98e737e8ea185 /app/views/my
parent: 16c0b67941bc7aa3d4fc6804e36029caa2bf6fb1 (diff)
download: redmine-1d78dd8324583686830ab25d77d0a9f2b8543564.tar.gz
redmine-1d78dd8324583686830ab25d77d0a9f2b8543564.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/app/views/my/_sidebar.rhtml b/app/views/my/_sidebar.rhtml
index e7689c138..cc4a7850f 100644
--- a/app/views/my/_sidebar.rhtml
+++ b/app/views/my/_sidebar.rhtml
@@ -1,6 +1,6 @@
 <h3><%=l(:label_my_account)%></h3>
 
-<p><%=l(:field_login)%>: <strong><%= link_to @user.login, user_path(@user) %></strong><br />
+<p><%=l(:field_login)%>: <strong><%= link_to(h(@user.login), user_path(@user) %></strong><br />
 <%=l(:field_created_on)%>: <%= format_time(@user.created_on) %></p>
 
 
@@ -19,7 +19,7 @@
 <h4><%= l(:label_api_access_key) %></h4>
 <div>
   <%= link_to_function(l(:button_show), "$('api-access-key').toggle();")%>
-  <pre id='api-access-key' class='autoscroll'><%= @user.api_key %></pre>
+  <pre id='api-access-key' class='autoscroll'><%= h(@user.api_key) %></pre>
 </div>
 <%= javascript_tag("$('api-access-key').hide();") %>
 <p>
author	Toshi MARUYAMA <marutosijp2@yahoo.co.jp>	2011-05-12 00:26:16 +0000
committer	Toshi MARUYAMA <marutosijp2@yahoo.co.jp>	2011-05-12 00:26:16 +0000
commit	1d78dd8324583686830ab25d77d0a9f2b8543564 (patch)
tree	fb5d2f529aeb3bba8c2df2f8b5d98e737e8ea185 /app/views/my
parent	16c0b67941bc7aa3d4fc6804e36029caa2bf6fb1 (diff)
download	redmine-1d78dd8324583686830ab25d77d0a9f2b8543564.tar.gz redmine-1d78dd8324583686830ab25d77d0a9f2b8543564.zip