0
@@ -4,6 +4,8 @@ module Resourceful
0
       # Sets the default flash message.
0
       # This message can be overridden by passing in
0
       # an HTTP parameter of the form "_flash[type]" via POST or GET.
0
+      # _flash HTTP parameter values will be HTML escaped prior to 
0
+      # being used.
0
       #
0
       # You can use this to easily have multiple forms
0
       # post to the same create/edit/destroy actions
0
@@ -17,7 +19,9 @@ module Resourceful
0
       # TODO: Move this out of here
0
       #++
0
       def set_default_flash(type, message)
0
-        flash[type] ||= (params[:_flash] && params[:_flash][type]) || message
0
+        flash[type] ||= (params[:_flash] && params[:_flash][type]) ? 
0
+          ERB::Util.h(params[:_flash][type]) : 
0
+          message
0
       end
0
 
0
       # Sets the default redirect

0
@@ -14,6 +14,13 @@ describe 'Resourceful::Default::Responses', " with a _flash parameter for :error
0
     @controller.set_default_flash(:error, "Aw there's no error!")
0
     @flash[:error].should == 'Oh no, an error!'
0
   end
0
+  
0
+  it "should set the flash for :error to the parameter's cleansed value when set_default_flash is called on :error" do
0
+    evil_script = "<script language=\"javascript\">alert('no good');</script>"
0
+    @params[:_flash][:error] = evil_script
0
+    @controller.set_default_flash(:error, "Aw there's no error!")
0
+    @flash[:error].should == ERB::Util.h(evil_script)
0
+  end
0
 
0
   it "should set the flash for :message to the default value when set_default_flash is called on :message" do
0
     @controller.set_default_flash(:message, "All jim dandy!")