diff --git a/app/views/admin/articles/_page_nav.rhtml b/app/views/admin/articles/_page_nav.rhtml
index e6e34c08..78fdb457 100644
--- a/app/views/admin/articles/_page_nav.rhtml
+++ b/app/views/admin/articles/_page_nav.rhtml
@@ -3,7 +3,7 @@
<% if controller.controller_name == 'comments' && controller.action_name == 'index' && @comments.size > 0 -%>
- - <%= link_to_remote "Delete these #{@filter != 'all' ? @filter : ''} comments", :confirm => "Are you sure you wish to delete all #{@filter != 'all' ? @filter : ''} comments?",
+
- <%= link_to_remote h("Delete these #{@filter != 'all' ? @filter : ''} comments"), :confirm => "Are you sure you wish to delete all #{@filter != 'all' ? @filter : ''} comments?",
:url => { :controller => 'comments', :action => 'destroy', :id => @article }, :with => "ArticleForm.getAvailableComments().toQueryString('comment')"
%>
<% end -%>
@@ -57,4 +57,4 @@
<% end -%>
-<% end unless @article && @article.new_record? && @article.comments.size == 0 -%>
\ No newline at end of file
+<% end unless @article && @article.new_record? && @article.comments.size == 0 -%>
diff --git a/app/views/admin/assets/index.rhtml b/app/views/admin/assets/index.rhtml
index b389691b..fa83a9cc 100644
--- a/app/views/admin/assets/index.rhtml
+++ b/app/views/admin/assets/index.rhtml
@@ -52,7 +52,7 @@
Some stats
You have a uploaded a total of <%= pluralize site.assets.count, 'asset'%>, using
- <%= number_to_human_size site.assets.sum(:size) %>.
+ <%=h number_to_human_size site.assets.sum(:size) %>.
<% end %>
diff --git a/app/views/admin/comments/index.rhtml b/app/views/admin/comments/index.rhtml
index e104ae34..23f3be76 100644
--- a/app/views/admin/comments/index.rhtml
+++ b/app/views/admin/comments/index.rhtml
@@ -2,7 +2,7 @@
<% if @article -%>
-Comments on <%= link_to @article.title, edit_article_path(@article), :style => 'border:none' %> <%= @article.published? ? link_to(image_tag('/images/mephisto/icons/24-zoom-in.png', :style => 'vertical-align: middle'), @site.permalink_for(@article), :style => 'border:none;') : ' ' %>
+Comments on <%= link_to h(@article.title), edit_article_path(@article), :style => 'border:none' %> <%= @article.published? ? link_to(image_tag('/images/mephisto/icons/24-zoom-in.png', :style => 'vertical-align: middle'), @site.permalink_for(@article), :style => 'border:none;') : ' ' %>
<% else -%>
Comments for all articles
<% end -%>
@@ -22,7 +22,7 @@ Comments for all articles
"<%= strip_tags(comment.body) %>"
<% end -%>
- — <%= author_link_for comment %><%= %( (#{comment.author_email})) unless comment.author_email.blank? %> said <%= time_ago_in_words comment.created_at %> ago
+ — <%= author_link_for comment %><%=h %( (#{comment.author_email})) unless comment.author_email.blank? %> said <%=h time_ago_in_words comment.created_at %> ago
<%= link_to_remote 'Edit', :url => edit_article_comment_path(comment.article, comment), :method => :get %> |
<% if comment.approved? -%>
diff --git a/app/views/admin/design/_form.rhtml b/app/views/admin/design/_form.rhtml
index 56a6d96b..5d115247 100644
--- a/app/views/admin/design/_form.rhtml
+++ b/app/views/admin/design/_form.rhtml
@@ -1,16 +1,16 @@
-
- <%= label_tag :data, labels[:data] %>
+ <%= label_tag :data, h(labels[:data]) %>
<%= hint %>
- <%= text_area_tag :data, h(attachment && attachment.file? ? attachment.read : params[:data]), :class => 'fat', :rows => 20 %>
<% if controller.action_name == 'index' -%>
-
- <%= label_tag :filename, labels[:filename] %>
+ <%= label_tag :filename, h(labels[:filename]) %>
You can create one of three types of files: Liquid (*.liquid), CSS (*.css), and Javascript (*.js).
- <%= text_field_tag :filename, params[:filename] %>
<% end -%>
-
\ No newline at end of file
+
diff --git a/app/views/admin/design/_sidebar.rhtml b/app/views/admin/design/_sidebar.rhtml
index 9c130701..11c98614 100644
--- a/app/views/admin/design/_sidebar.rhtml
+++ b/app/views/admin/design/_sidebar.rhtml
@@ -4,18 +4,18 @@
*_layout suffix (e.g custom_layout).
<% @theme.templates.template_types(@theme.extension).each do |template| -%>
- - <%= link_to template, url_for_theme(:controller => 'templates', :action => 'edit', :filename => template) %>
+ - <%= link_to h(template), url_for_theme(:controller => 'templates', :action => 'edit', :filename => template) %>
<% end -%>
<% @theme.templates.custom(@theme.extension).each_with_index do |template, i| -%>
-
<%= delete_link :templates, template, "templates-#{i}" %>
- <%= link_to template, url_for_theme(:controller => 'templates', :action => 'edit', :filename => template) %>
+ <%= link_to h(template), url_for_theme(:controller => 'templates', :action => 'edit', :filename => template) %>
<% end -%>
<% @theme.resources.reject { |r| @theme.resources.image?(r) }.each_with_index do |resource, i| -%>
-
<%= delete_link :resources, resource.basename.to_s, "resources-#{i}" %>
- <%= link_to resource.basename, url_for_theme(:controller => 'resources', :action => 'edit', :filename => resource.basename) %>
+ <%= link_to h(resource.basename), url_for_theme(:controller => 'resources', :action => 'edit', :filename => resource.basename) %>
<% end -%>
@@ -25,7 +25,7 @@
Select an image to use in your template.
<% @theme.resources.select { |r| @theme.resources.image?(r) }.each_with_index do |image, i| -%>
- - <%= delete_link :resources, image.basename.to_s, "images-#{i}" %> <%= image.basename %>
+ - <%= delete_link :resources, h(image.basename.to_s), "images-#{i}" %> <%= h(image.basename) %>
<% end -%>
diff --git a/app/views/admin/overview/index.rhtml b/app/views/admin/overview/index.rhtml
index 727d7f94..26cf5f34 100644
--- a/app/views/admin/overview/index.rhtml
+++ b/app/views/admin/overview/index.rhtml
@@ -49,7 +49,7 @@
Recent activity
<% @users.each do |user| -%>
- - <%= avatar_for user %><%= link_to who(user.login), :controller => 'users', :action => 'show', :id => user %>
showed up <%= distance_of_time_in_words_to_now(user.updated_at) %> ago
+ - <%= avatar_for user %><%= link_to who(user.login), :controller => 'users', :action => 'show', :id => user %>
showed up <%=h distance_of_time_in_words_to_now(user.updated_at) %> ago
<% end -%>
diff --git a/app/views/admin/themes/_theme.rhtml b/app/views/admin/themes/_theme.rhtml
index 1498ce37..0f680893 100644
--- a/app/views/admin/themes/_theme.rhtml
+++ b/app/views/admin/themes/_theme.rhtml
@@ -1,12 +1,12 @@
-
+
- <%=h theme.title %>
+ <%=h theme.title %>
<% unless theme.version.blank? -%>v<%=h theme.version %> |<% end -%>
- by <%= theme.linked_author.blank? ? 'unknown' : theme.linked_author %>
+ by <%=h theme.linked_author.blank? ? 'unknown' : theme.linked_author %>
 %> "<%=h theme.title %> (v<%=h theme.version %>)")
-
\ No newline at end of file
+
diff --git a/app/views/layouts/application.rhtml b/app/views/layouts/application.rhtml
index 2fd86d7c..0de8a87e 100644
--- a/app/views/layouts/application.rhtml
+++ b/app/views/layouts/application.rhtml
@@ -3,7 +3,7 @@
- <%= site.title %>: Admin <%= controller.controller_name %>
+ <%=h site.title %>: Admin <%=h controller.controller_name %>
<%= stylesheet_link_tag 'mephisto/mephisto' %>
<%= javascript_include_tag 'mephisto/prototype', 'mephisto/effects', 'mephisto/dragdrop', 'mephisto/lowpro', 'mephisto/application' %>
@@ -36,7 +36,7 @@
<%= link_to 'Articles', :controller => '/admin/articles' %>
<%= link_to 'Assets', :controller => '/admin/assets' %>
<% Mephisto::Plugin.tabs.each do |tab| -%>
- <%= link_to tab.first, tab.last %>
+ <%= link_to h(tab.first), tab.last %>
<% end -%>
<% if admin? -%>
@@ -49,7 +49,7 @@
<%= link_to 'Plugins', :controller => '/admin/plugins' %>
<% end -%>
<% Mephisto::Plugin.admin_tabs.each do |tab| -%>
- <%= link_to tab.first.to_s.tableize.humanize, tab.last %>
+ <%= link_to h(tab.first.to_s.tableize.humanize), tab.last %>
<% end -%>
<% end -%>
@@ -80,8 +80,8 @@
-
<%= flash[:error] %>
-
<%= flash[:notice] %>
+
<%=h flash[:error] %>
+
<%=h flash[:notice] %>
<%= yield :action_nav %>