diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2006-12-17 08:10:18 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2006-12-17 08:10:18 +0000 |
| commit | 2b86ef8e28d0e5376197391c29a8fb302f14820f (patch) | |
| tree | e5a80fb24158b350507c28021418a19aa7084991 /app/views/projects/show.rhtml | |
| parent | 3e28dc669b014db811c0de673a090adf54f42bc1 (diff) | |
| download | redmine-2b86ef8e28d0e5376197391c29a8fb302f14820f.tar.gz redmine-2b86ef8e28d0e5376197391c29a8fb302f14820f.zip | |
various modifications to prevent xss
- validation of names and labels against /^[\w\s\'\-]*$/i
- html entities encoding
git-svn-id: http://redmine.rubyforge.org/svn/trunk@99 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/views/projects/show.rhtml')
| -rw-r--r-- | app/views/projects/show.rhtml | 15 |
1 files changed, 5 insertions, 10 deletions
diff --git a/app/views/projects/show.rhtml b/app/views/projects/show.rhtml index 79e36a586..46f17d9b9 100644 --- a/app/views/projects/show.rhtml +++ b/app/views/projects/show.rhtml @@ -1,13 +1,13 @@ <h2><%=l(:label_overview)%></h2>
<div class="splitcontentleft">
- <%= simple_format(auto_link(@project.description)) %>
+ <%= simple_format(auto_link(h @project.description)) %>
<ul>
<% unless @project.homepage.empty? %><li><%=l(:field_homepage)%>: <%= auto_link @project.homepage %></li><% end %>
<li><%=l(:field_created_on)%>: <%= format_date(@project.created_on) %></li>
<% for custom_value in @custom_values %>
<% if !custom_value.value.empty? %>
- <li><%= custom_value.custom_field.name%>: <%= show_value(custom_value) %></li>
+ <li><%= custom_value.custom_field.name%>: <%=h show_value(custom_value) %></li>
<% end %>
<% end %>
</ul>
@@ -32,7 +32,7 @@ <% end %>
</ul>
<% end %> - <center><small>[ <%= link_to l(:label_issue_view_all), :controller => 'projects', :action => 'list_issues', :id => @project, :set_filter => 1 %> ]</small></center>
+ <center><small><%= link_to l(:label_issue_view_all), :controller => 'projects', :action => 'list_issues', :id => @project, :set_filter => 1 %></small></center>
</div> </div>
@@ -55,13 +55,8 @@ <div class="box">
<h3><%=l(:label_news_latest)%></h3>
- <% for news in @news %>
- <p><b><%= news.title %></b> <small>(<%= link_to_user news.author %> <%= format_time(news.created_on) %>)</small><br />
- <%= news.summary %>
- <small>[<%= link_to l(:label_read), :controller => 'news', :action => 'show', :id => news %>]</small></p>
- <hr />
- <% end %> - <center><small>[ <%= link_to l(:label_news_view_all), :controller => 'projects', :action => 'list_news', :id => @project %> ]</small></center>
+ <%= render :partial => 'news/news', :collection => @news %> + <center><small><%= link_to l(:label_news_view_all), :controller => 'projects', :action => 'list_news', :id => @project %></small></center>
</div>
</div>
|