various modifications to prevent xss

- validation of names and labels against /^[\w\s\'\-]*$/i
- html entities encoding

git-svn-id: http://redmine.rubyforge.org/svn/trunk@99 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 6 insertions, 2 deletions

diff --git a/app/views/news/_news.rhtml b/app/views/news/_news.rhtml
new file mode 100644
index 000000000..75a80d634
--- /dev/null
+++ b/app/views/news/_news.rhtml
@@ -0,0 +1,4 @@
+<p><%= link_to h(news.title), :controller => 'news', :action => 'show', :id => news %><br />

+<% unless news.summary.empty? %><%=h news.summary %><br /><% end %>

+<em><%= news.author.name %>, <%= format_time(news.created_on) %></em><br />

+<%= news.comments_count %> <%= lwr(:label_comment, news.comments_count).downcase %><br /></p>

diff --git a/app/views/news/show.rhtml b/app/views/news/show.rhtml
index e5f199fa2..374bf72af 100644
--- a/app/views/news/show.rhtml
+++ b/app/views/news/show.rhtml
@@ -3,9 +3,9 @@
 <%= link_to_if_authorized l(:button_delete), {:controller => 'news', :action => 'destroy', :id => @news}, :confirm => l(:text_are_you_sure), :post => true, :class => 'pic picDelete' %>

 </div>

 

-<h2><%= @news.title %></h2>

+<h2><%=h @news.title %></h2>

 

-<p><em><%= @news.summary %><br />

+<p><em><%=h @news.summary %><br />

 <%= @news.author.display_name %>, <%= format_time(@news.created_on) %></em></p>

 <br />

 <%= textilizable auto_link @news.description %>