@@ -1,6 +1,6 @@ <tr class="<%= article.status %>" id="article_<%= article.id %>"> <td><%= image_tag "mephisto/icons/#{status_icon[article.status][1]}", :class => "#{status_icon[article.status][0]} icon", :title => "This article is #{article.status}", :alt => "#{article.status}" %></td> - <td class="article_title"><%= link_to(article.title, {:action => 'edit', :id => article}) %></td> + <td class="article_title"><%= link_to(h(article.title), {:action => 'edit', :id => article}) %></td> <td class="ccount"> <% if article.comments.size == 0 %> none app/views/admin/articles/_article.rhtml @@ -5,7 +5,7 @@ <li> <%= check_box_tag 'article[section_ids][]', section.id, @article.has_section?(section), :id => "article_section_ids_#{section.id}" %> - <label for="article_section_ids_<%= section.id %>"><%= section.name %></label> + <label for="article_section_ids_<%= section.id %>"><%=h section.name %></label> </li> <% end %> </ul> app/views/admin/articles/_shared_options.rhtml @@ -1,7 +1,7 @@ <% with_options :controller => 'articles', :id => event.article_id do |article| -%> <li id="event-<%= event.id %>" class="event-comment<%= " shade" if shaded %>"> <div id="comment-<%= event.comment_id %>"> - <%= link_to event.article.title, :controller => 'articles', :action => 'comments', :id => event.article_id, :anchor => "comment-#{event.comment_id}" %> received a comment. + <%= link_to h(event.article.title), :controller => 'articles', :action => 'comments', :id => event.article_id, :anchor => "comment-#{event.comment_id}" %> received a comment. <span class="event-time"><%= event_time_for event, later %></span> <% unless event.body.blank? -%> app/views/admin/overview/_comment_event.rhtml @@ -1,5 +1,5 @@ <li class="event-revision<%= " shade" if shaded %>"> <span class="event-time"><%= event_time_for event, later %></span> <%= link_to h(event.title), :controller => 'articles', :action => 'show', :id => event.article_id %> was created. - <span class="meta">by <%= link_to who(event.user.login), :controller => 'users', :action => 'show', :id => event.user %></span> -</li> \ No newline at end of file + <span class="meta">by <%= link_to h(who(event.user.login)), :controller => 'users', :action => 'show', :id => event.user %></span> +</li> app/views/admin/overview/_create_event.rhtml @@ -1,5 +1,5 @@ <li class="event-article<%= " shade" if defined?(shaded) && shaded == true %>"> <span class="event-time"><%= event_time_for event, later %></span> <%= link_to h(event.title), :controller => 'articles', :action => 'edit', :id => event.article_id %> was created. - <span class="meta">by <%= link_to who(event.user.login), :controller => 'users', :action => 'show', :id => event.user %></span> -</li> \ No newline at end of file + <span class="meta">by <%= link_to h(who(event.user.login)), :controller => 'users', :action => 'show', :id => event.user %></span> +</li> app/views/admin/overview/_publish_event.rhtml @@ -49,7 +49,7 @@ <h3>Recent activity</h3> <ul class="slist" id="activity"> <% @users.each do |user| -%> - <li style="clear:right;"><%= avatar_for user %><%= link_to who(user.login), :controller => 'users', :action => 'show', :id => user %><br /> showed up <%=h distance_of_time_in_words_to_now(user.updated_at) %> ago</li> + <li style="clear:right;"><%= avatar_for user %><%= link_to h(who(user.login)), :controller => 'users', :action => 'show', :id => user %><br /> showed up <%=h distance_of_time_in_words_to_now(user.updated_at) %> ago</li> <% end -%> </ul> </div> app/views/admin/overview/index.rhtml @@ -1,7 +1,7 @@ <li id="<%= user.dom_id %>" class="clear<%= %( deleted) unless user.deleted_at.nil? %><%= %( selected) if @user == user %>" fsdfa> <%= avatar_for user %> - <h3><%= link_to user.login, :action => 'show', :id => user %></h3> - <%= user.email %> + <h3><%= link_to h(user.login), :action => 'show', :id => user %></h3> + <%=h user.email %> <% unless user.admin? || user == current_user -%> <p> <%= check_box_tag user.dom_id(:user_toggle), user.id, user.deleted_at.nil?, :onclick => "UserForm.toggle(this);" %> @@ -13,4 +13,4 @@ <%= image_tag 'mephisto/progress.gif', :size => '10x10', :style => 'display:none', :id => "#{user.dom_id}-progress" %> </p> <% end -%> -</li> \ No newline at end of file +</li> app/views/admin/users/_user.rhtml @@ -26,7 +26,7 @@ <li><%= link_to 'Logout', { :controller => '/account', :action => 'logout' }, :method => :post %></li> </ul> - <h1><%= link_to "#{site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1> + <h1><%= link_to "#{h site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1> <!-- div.nav --> <div id="nav"> app/views/layouts/application.rhtml @@ -3,16 +3,16 @@ <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> - <title>Mephisto: <%= controller.controller_name %> Admin</title> + <title>Mephisto: <%=h controller.controller_name %> Admin</title> <%= stylesheet_link_tag 'mephisto/fullscreen' %> <%= javascript_include_tag 'mephisto/prototype', 'mephisto/effects', 'mephisto/lowpro', 'mephisto/application' %> <script type="text/javascript">Mephisto.root = '<%= relative_url_root %>';</script> </head> - <body id="body-<%= controller.controller_name %>"> + <body id="body-<%=h controller.controller_name %>"> <!-- div.header --> <div id="header"> - <h1><%= link_to "#{site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1> + <h1><%= link_to "#{h site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1> </div> <!-- /div.header --> @@ -20,8 +20,8 @@ <!-- div.content --> <div id="fullscreen"> - <div id="flash-errors" style="display: none;"><%= flash[:error] %></div> - <div id="flash-notice" style="display:none"><%= flash[:notice] %></div> + <div id="flash-errors" style="display: none;"><%=h flash[:error] %></div> + <div id="flash-notice" style="display:none"><%=h flash[:notice] %></div> <!-- div.left --> <div id="main"> app/views/layouts/simple.rhtml a83309dbc833ce1ef255ac65275ba498115d1040 Eric Kidd emk git@randomhacks.net http://github.com/emk/mephisto/commit/7a20455fab59441d15e261172aa9fac109eb3893 7a20455fab59441d15e261172aa9fac109eb3893 2008-12-11T16:05:37-08:00 2008-12-11T16:05:37-08:00 Security: Escape more strings The sqlite3_ruby database adapter does not correctly taint strings unless you first apply this patch: http://rubyforge.org/tracker/index.php?func=detail&aid=20325&group_id=254&atid=1045 With this patch applied, SafeERB finds more errors. These are now fixed. It would be highly desirable to update SafeERB and modify it for production use with Rails 2.2. eb43abe7ea4ced62e2f3cdc99532039644227102 Eric Kidd emk git@randomhacks.net