@@ -3,7 +3,7 @@ <div id="page-nav"> <ul id="act-nav" class="clear"> <% if controller.controller_name == 'comments' && controller.action_name == 'index' && @comments.size > 0 -%> - <li><%= link_to_remote "Delete these #{@filter != 'all' ? @filter : ''} comments", :confirm => "Are you sure you wish to delete all #{@filter != 'all' ? @filter : ''} comments?", + <li><%= link_to_remote h("Delete these #{@filter != 'all' ? @filter : ''} comments"), :confirm => "Are you sure you wish to delete all #{@filter != 'all' ? @filter : ''} comments?", :url => { :controller => 'comments', :action => 'destroy', :id => @article }, :with => "ArticleForm.getAvailableComments().toQueryString('comment')" %></li> <% end -%> @@ -57,4 +57,4 @@ <% end -%> </ul> </div> -<% end unless @article && @article.new_record? && @article.comments.size == 0 -%> \ No newline at end of file +<% end unless @article && @article.new_record? && @article.comments.size == 0 -%> app/views/admin/articles/_page_nav.rhtml @@ -52,7 +52,7 @@ <h3>Some stats</h3> <p> You have a uploaded a total of <strong><%= pluralize site.assets.count, 'asset'%></strong>, using - <strong><%= number_to_human_size site.assets.sum(:size) %></strong>. + <strong><%=h number_to_human_size site.assets.sum(:size) %></strong>. </p> </div> <% end %> app/views/admin/assets/index.rhtml @@ -2,7 +2,7 @@ <h3 style="border-bottom:1px solid #ccc;padding:5px"> <% if @article -%> -Comments on <%= link_to @article.title, edit_article_path(@article), :style => 'border:none' %> <span class="right"><%= @article.published? ? link_to(image_tag('/images/mephisto/icons/24-zoom-in.png', :style => 'vertical-align: middle'), @site.permalink_for(@article), :style => 'border:none;') : '&nbsp;' %></span> +Comments on <%= link_to h(@article.title), edit_article_path(@article), :style => 'border:none' %> <span class="right"><%= @article.published? ? link_to(image_tag('/images/mephisto/icons/24-zoom-in.png', :style => 'vertical-align: middle'), @site.permalink_for(@article), :style => 'border:none;') : '&nbsp;' %></span> <% else -%> Comments for all articles <% end -%> @@ -22,7 +22,7 @@ Comments for all articles <blockquote><p>"<%= strip_tags(comment.body) %>"</p></blockquote> <% end -%> <span class="meta"> - <cite>&mdash; <%= author_link_for comment %><%= %( (#{comment.author_email})) unless comment.author_email.blank? %> said <%= time_ago_in_words comment.created_at %> ago</cite> + <cite>&mdash; <%= author_link_for comment %><%=h %( (#{comment.author_email})) unless comment.author_email.blank? %> said <%=h time_ago_in_words comment.created_at %> ago</cite> <%= link_to_remote 'Edit', :url => edit_article_comment_path(comment.article, comment), :method => :get %> | <% if comment.approved? -%> app/views/admin/comments/index.rhtml @@ -1,16 +1,16 @@ <div class="group"> <dl> <dt> - <%= label_tag :data, labels[:data] %> + <%= label_tag :data, h(labels[:data]) %> <p class="hint"><%= hint %></p> </dt> <dd><%= text_area_tag :data, h(attachment && attachment.file? ? attachment.read : params[:data]), :class => 'fat', :rows => 20 %></dd> <% if controller.action_name == 'index' -%> <dt> - <%= label_tag :filename, labels[:filename] %> + <%= label_tag :filename, h(labels[:filename]) %> <p class="hint">You can create one of three types of files: Liquid (*.liquid), CSS (*.css), and Javascript (*.js).</p> </dt> <dd><%= text_field_tag :filename, params[:filename] %></dd> <% end -%> </dl> -</div> \ No newline at end of file +</div> app/views/admin/design/_form.rhtml @@ -4,18 +4,18 @@ *_layout suffix (e.g custom_layout).</p> <ul id="attachments"> <% @theme.templates.template_types(@theme.extension).each do |template| -%> - <li><%= link_to template, url_for_theme(:controller => 'templates', :action => 'edit', :filename => template) %></li> + <li><%= link_to h(template), url_for_theme(:controller => 'templates', :action => 'edit', :filename => template) %></li> <% end -%> <% @theme.templates.custom(@theme.extension).each_with_index do |template, i| -%> <li id="templates-<%= i %>"> <%= delete_link :templates, template, "templates-#{i}" %> - <%= link_to template, url_for_theme(:controller => 'templates', :action => 'edit', :filename => template) %> + <%= link_to h(template), url_for_theme(:controller => 'templates', :action => 'edit', :filename => template) %> </li> <% end -%> <% @theme.resources.reject { |r| @theme.resources.image?(r) }.each_with_index do |resource, i| -%> <li id="resources-<%= i %>"> <%= delete_link :resources, resource.basename.to_s, "resources-#{i}" %> - <%= link_to resource.basename, url_for_theme(:controller => 'resources', :action => 'edit', :filename => resource.basename) %> + <%= link_to h(resource.basename), url_for_theme(:controller => 'resources', :action => 'edit', :filename => resource.basename) %> </li> <% end -%> </ul> @@ -25,7 +25,7 @@ <p>Select an image to use in your template.</p> <ul id="attachments"> <% @theme.resources.select { |r| @theme.resources.image?(r) }.each_with_index do |image, i| -%> - <li id="images-<%= i %>"><%= delete_link :resources, image.basename.to_s, "images-#{i}" %> <%= image.basename %> </li> + <li id="images-<%= i %>"><%= delete_link :resources, h(image.basename.to_s), "images-#{i}" %> <%= h(image.basename) %> </li> <% end -%> </ul> app/views/admin/design/_sidebar.rhtml @@ -49,7 +49,7 @@ <h3>Recent activity</h3> <ul class="slist" id="activity"> <% @users.each do |user| -%> - <li style="clear:right;"><%= avatar_for user %><%= link_to who(user.login), :controller => 'users', :action => 'show', :id => user %><br /> showed up <%= distance_of_time_in_words_to_now(user.updated_at) %> ago</li> + <li style="clear:right;"><%= avatar_for user %><%= link_to who(user.login), :controller => 'users', :action => 'show', :id => user %><br /> showed up <%=h distance_of_time_in_words_to_now(user.updated_at) %> ago</li> <% end -%> </ul> </div> app/views/admin/overview/index.rhtml @@ -1,12 +1,12 @@ - <li class="theme<%= ' current' if theme.current? %>" id="theme-<%= theme_counter %>"> + <li class="theme<%=h ' current' if theme.current? %>" id="theme-<%= theme_counter %>"> <h3> - <span title="stored in /<%= theme.name %>"><%=h theme.title %></span> + <span title="stored in /<%=h theme.name %>"><%=h theme.title %></span> <span class="thememeta"> <% unless theme.version.blank? -%>v<%=h theme.version %> |<% end -%> - by <%= theme.linked_author.blank? ? 'unknown' : theme.linked_author %> + by <%=h theme.linked_author.blank? ? 'unknown' : theme.linked_author %> </span> </h3> <a id="theme-dialog-<%= theme_counter %>" class="theme_dialog"> <img src="<%= url_for(:controller => '/admin/themes', :action => 'preview_for', :id => theme) %>" alt="Theme preview" title="<%=h theme.title %> (v<%=h theme.version %>)" /> </a> - </li> \ No newline at end of file + </li> app/views/admin/themes/_theme.rhtml @@ -3,7 +3,7 @@ <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> - <title><%= site.title %>: Admin <%= controller.controller_name %></title> + <title><%=h site.title %>: Admin <%=h controller.controller_name %></title> <%= stylesheet_link_tag 'mephisto/mephisto' %> <%= javascript_include_tag 'mephisto/prototype', 'mephisto/effects', 'mephisto/dragdrop', 'mephisto/lowpro', 'mephisto/application' %> <script type="text/javascript">Mephisto.root = '<%= relative_url_root %>'; <%= init_mephisto_authenticity_token %></script> @@ -36,7 +36,7 @@ <li><%= link_to 'Articles', :controller => '/admin/articles' %></li> <li><%= link_to 'Assets', :controller => '/admin/assets' %></li> <% Mephisto::Plugin.tabs.each do |tab| -%> - <li><%= link_to tab.first, tab.last %></li> + <li><%= link_to h(tab.first), tab.last %></li> <% end -%> </ul> <% if admin? -%> @@ -49,7 +49,7 @@ <li><%= link_to 'Plugins', :controller => '/admin/plugins' %></li> <% end -%> <% Mephisto::Plugin.admin_tabs.each do |tab| -%> - <li><%= link_to tab.first.to_s.tableize.humanize, tab.last %></li> + <li><%= link_to h(tab.first.to_s.tableize.humanize), tab.last %></li> <% end -%> </ul> <% end -%> @@ -80,8 +80,8 @@ <!-- div.left --> <div id="main"> <div id="flashes"> - <div id="flash-errors" style="display: none;"><%= flash[:error] %></div> - <div id="flash-notice" style="display:none"><%= flash[:notice] %></div> + <div id="flash-errors" style="display: none;"><%=h flash[:error] %></div> + <div id="flash-notice" style="display:none"><%=h flash[:notice] %></div> </div> <!-- begin action nav --> <%= yield :action_nav %> app/views/layouts/application.rhtml f9d3c105eb0c22b7a66430619be41b697c98200f Eric Kidd emk git@randomhacks.net http://github.com/emk/mephisto/commit/a83309dbc833ce1ef255ac65275ba498115d1040 a83309dbc833ce1ef255ac65275ba498115d1040 2008-12-11T15:31:50-08:00 2008-12-11T15:29:51-08:00 Security: Escape strings where recommended by SafeERB The SafeERB plugin attempts to automatically detect view code which fails to properly escape HTML. You can find information here: http://wiki.rubyonrails.com/rails/pages/Safe+ERB I'm using a version of SafeERB modified by Matthew Bass, which can be found on github: http://github.com/pelargir/safe_erb/tree/master My local copy is modified to avoid some false positives, and isn't ready for production use yet. But here's the first batch of changes it recommended. Note that some of these changes weren't really necessary-- some of the values we're wrapping can't actually contain HTML metacharacters, at least not in normal locales. Also note that SafeERB is only useful for the normal view code in places like /admin, and that it won't help us with Liquid plugins in the front end. But it's a start. bf75a57264c39abb41b433917bea009351be6b48 Eric Kidd emk git@randomhacks.net