Security: Escape more strings

The sqlite3_ruby database adapter does not correctly taint strings unless you first apply this patch: http://rubyforge.org/tracker/index.php?func=detail&aid=20325&group_id=254&atid=1045 With this patch applied, SafeERB finds more errors. These are now fixed. It would be highly desirable to update SafeERB and modify it for production use with Rails 2.2.
emk · Dec 12, 2008 · 7a20455 · 7a20455
1 parent a83309d
commit 7a20455
Show file tree

Hide file tree

Showing 9 changed files with 17 additions and 17 deletions.
diff --git a/app/views/admin/articles/_article.rhtml b/app/views/admin/articles/_article.rhtml
@@ -1,6 +1,6 @@
 <tr class="<%= article.status %>" id="article_<%= article.id %>">
   <td><%= image_tag "mephisto/icons/#{status_icon[article.status][1]}", :class => "#{status_icon[article.status][0]} icon", :title => "This article is #{article.status}", :alt => "#{article.status}" %></td>
-  <td class="article_title"><%= link_to(article.title, {:action => 'edit', :id => article}) %></td>
+  <td class="article_title"><%= link_to(h(article.title), {:action => 'edit', :id => article}) %></td>
   <td class="ccount">
     <% if article.comments.size == 0 %>
       none

diff --git a/app/views/admin/articles/_shared_options.rhtml b/app/views/admin/articles/_shared_options.rhtml
@@ -5,7 +5,7 @@
       <li>
         <%= check_box_tag 'article[section_ids][]', section.id, @article.has_section?(section), 
               :id => "article_section_ids_#{section.id}" %>
-        <label for="article_section_ids_<%= section.id %>"><%= section.name %></label>
+        <label for="article_section_ids_<%= section.id %>"><%=h section.name %></label>
       </li>
     <% end %>
   </ul>

diff --git a/app/views/admin/overview/_comment_event.rhtml b/app/views/admin/overview/_comment_event.rhtml
@@ -1,7 +1,7 @@
 <% with_options :controller => 'articles', :id => event.article_id do |article| -%>
 <li id="event-<%= event.id %>" class="event-comment<%= " shade" if shaded %>">
   <div id="comment-<%= event.comment_id %>">
-    <%= link_to event.article.title, :controller => 'articles', :action => 'comments', :id => event.article_id, :anchor => "comment-#{event.comment_id}" %> received a comment.
+    <%= link_to h(event.article.title), :controller => 'articles', :action => 'comments', :id => event.article_id, :anchor => "comment-#{event.comment_id}" %> received a comment.
 
     <span class="event-time"><%= event_time_for event, later %></span>
     <% unless event.body.blank? -%>

diff --git a/app/views/admin/overview/_create_event.rhtml b/app/views/admin/overview/_create_event.rhtml
@@ -1,5 +1,5 @@
 <li class="event-revision<%= " shade" if shaded %>">
   <span class="event-time"><%= event_time_for event, later %></span>
   <%= link_to h(event.title), :controller => 'articles', :action => 'show', :id => event.article_id %> was created.
-  <span class="meta">by <%= link_to who(event.user.login), :controller => 'users', :action => 'show', :id => event.user %></span>
-</li>
+  <span class="meta">by <%= link_to h(who(event.user.login)), :controller => 'users', :action => 'show', :id => event.user %></span>
+</li>
diff --git a/app/views/admin/overview/_publish_event.rhtml b/app/views/admin/overview/_publish_event.rhtml
@@ -1,5 +1,5 @@
 <li class="event-article<%= " shade" if defined?(shaded) && shaded == true %>">
   <span class="event-time"><%= event_time_for event, later %></span>
   <%= link_to h(event.title), :controller => 'articles', :action => 'edit', :id => event.article_id %> was created.
-  <span class="meta">by <%= link_to who(event.user.login), :controller => 'users', :action => 'show', :id => event.user %></span>
-</li>
+  <span class="meta">by <%= link_to h(who(event.user.login)), :controller => 'users', :action => 'show', :id => event.user %></span>
+</li>
diff --git a/app/views/admin/overview/index.rhtml b/app/views/admin/overview/index.rhtml
@@ -49,7 +49,7 @@
     <h3>Recent activity</h3>
     <ul class="slist" id="activity">
       <% @users.each do |user| -%>
-        <li style="clear:right;"><%= avatar_for user %><%= link_to who(user.login), :controller => 'users', :action => 'show', :id => user %><br /> showed up <%=h distance_of_time_in_words_to_now(user.updated_at) %> ago</li>
+        <li style="clear:right;"><%= avatar_for user %><%= link_to h(who(user.login)), :controller => 'users', :action => 'show', :id => user %><br /> showed up <%=h distance_of_time_in_words_to_now(user.updated_at) %> ago</li>
       <% end -%>
     </ul>
   </div>

diff --git a/app/views/admin/users/_user.rhtml b/app/views/admin/users/_user.rhtml
@@ -1,7 +1,7 @@
 <li id="<%= user.dom_id %>" class="clear<%= %( deleted) unless user.deleted_at.nil? %><%= %( selected) if @user == user %>" fsdfa>
     <%= avatar_for user %>
-    <h3><%= link_to user.login, :action => 'show', :id => user %></h3>
-    <%= user.email %>
+    <h3><%= link_to h(user.login), :action => 'show', :id => user %></h3>
+    <%=h user.email %>
   <% unless user.admin? || user == current_user -%>
     <p>
       <%= check_box_tag user.dom_id(:user_toggle), user.id,  user.deleted_at.nil?, :onclick => "UserForm.toggle(this);" %>
@@ -13,4 +13,4 @@
       <%= image_tag 'mephisto/progress.gif', :size => '10x10', :style => 'display:none', :id => "#{user.dom_id}-progress" %>
     </p>
   <% end -%>
-</li>
+</li>
diff --git a/app/views/layouts/application.rhtml b/app/views/layouts/application.rhtml
@@ -26,7 +26,7 @@
         <li><%= link_to 'Logout', { :controller => '/account', :action => 'logout' }, :method => :post %></li>
       </ul>
 
-      <h1><%= link_to "#{site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1>
+      <h1><%= link_to "#{h site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1>
 
       <!-- div.nav -->  
       <div id="nav">

diff --git a/app/views/layouts/simple.rhtml b/app/views/layouts/simple.rhtml
@@ -3,25 +3,25 @@
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
     <meta http-equiv="Content-type" content="text/html; charset=utf-8" />   
-    <title>Mephisto: <%= controller.controller_name %> Admin</title>
+    <title>Mephisto: <%=h controller.controller_name %> Admin</title>
     <%= stylesheet_link_tag 'mephisto/fullscreen' %>
     <%= javascript_include_tag 'mephisto/prototype', 'mephisto/effects', 'mephisto/lowpro', 'mephisto/application' %>
     <script type="text/javascript">Mephisto.root = '<%= relative_url_root %>';</script>
   </head>
-  <body id="body-<%= controller.controller_name %>">
+  <body id="body-<%=h controller.controller_name %>">
 
       <!-- div.header -->
       <div id="header">
-        <h1><%= link_to "#{site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1>
+        <h1><%= link_to "#{h site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1>
       </div>
       <!-- /div.header -->
 
     <div id="container">    
 
       <!-- div.content -->
       <div id="fullscreen">
-        <div id="flash-errors" style="display: none;"><%= flash[:error] %></div>
-        <div id="flash-notice" style="display:none"><%= flash[:notice] %></div>
+        <div id="flash-errors" style="display: none;"><%=h flash[:error] %></div>
+        <div id="flash-notice" style="display:none"><%=h flash[:notice] %></div>
 
         <!-- div.left -->
         <div id="main">