Permalink
Browse files

Security: Escape more strings

The sqlite3_ruby database adapter does not correctly taint strings
unless you first apply this patch:

  http://rubyforge.org/tracker/index.php?func=detail&aid=20325&group_id=254&atid=1045

With this patch applied, SafeERB finds more errors.  These are now
fixed.  It would be highly desirable to update SafeERB and modify it for
production use with Rails 2.2.
  • Loading branch information...
emk committed Dec 12, 2008
1 parent a83309d commit 7a20455fab59441d15e261172aa9fac109eb3893
@@ -1,6 +1,6 @@
<tr class="<%= article.status %>" id="article_<%= article.id %>">
<td><%= image_tag "mephisto/icons/#{status_icon[article.status][1]}", :class => "#{status_icon[article.status][0]} icon", :title => "This article is #{article.status}", :alt => "#{article.status}" %></td>
<td class="article_title"><%= link_to(article.title, {:action => 'edit', :id => article}) %></td>
<td class="article_title"><%= link_to(h(article.title), {:action => 'edit', :id => article}) %></td>
<td class="ccount">
<% if article.comments.size == 0 %>
none
@@ -5,7 +5,7 @@
<li>
<%= check_box_tag 'article[section_ids][]', section.id, @article.has_section?(section),
:id => "article_section_ids_#{section.id}" %>
<label for="article_section_ids_<%= section.id %>"><%= section.name %></label>
<label for="article_section_ids_<%= section.id %>"><%=h section.name %></label>
</li>
<% end %>
</ul>
@@ -1,7 +1,7 @@
<% with_options :controller => 'articles', :id => event.article_id do |article| -%>
<li id="event-<%= event.id %>" class="event-comment<%= " shade" if shaded %>">
<div id="comment-<%= event.comment_id %>">
<%= link_to event.article.title, :controller => 'articles', :action => 'comments', :id => event.article_id, :anchor => "comment-#{event.comment_id}" %> received a comment.
<%= link_to h(event.article.title), :controller => 'articles', :action => 'comments', :id => event.article_id, :anchor => "comment-#{event.comment_id}" %> received a comment.

<span class="event-time"><%= event_time_for event, later %></span>
<% unless event.body.blank? -%>
@@ -1,5 +1,5 @@
<li class="event-revision<%= " shade" if shaded %>">
<span class="event-time"><%= event_time_for event, later %></span>
<%= link_to h(event.title), :controller => 'articles', :action => 'show', :id => event.article_id %> was created.
<span class="meta">by <%= link_to who(event.user.login), :controller => 'users', :action => 'show', :id => event.user %></span>
</li>
<span class="meta">by <%= link_to h(who(event.user.login)), :controller => 'users', :action => 'show', :id => event.user %></span>
</li>
@@ -1,5 +1,5 @@
<li class="event-article<%= " shade" if defined?(shaded) && shaded == true %>">
<span class="event-time"><%= event_time_for event, later %></span>
<%= link_to h(event.title), :controller => 'articles', :action => 'edit', :id => event.article_id %> was created.
<span class="meta">by <%= link_to who(event.user.login), :controller => 'users', :action => 'show', :id => event.user %></span>
</li>
<span class="meta">by <%= link_to h(who(event.user.login)), :controller => 'users', :action => 'show', :id => event.user %></span>
</li>
@@ -49,7 +49,7 @@
<h3>Recent activity</h3>
<ul class="slist" id="activity">
<% @users.each do |user| -%>
<li style="clear:right;"><%= avatar_for user %><%= link_to who(user.login), :controller => 'users', :action => 'show', :id => user %><br /> showed up <%=h distance_of_time_in_words_to_now(user.updated_at) %> ago</li>
<li style="clear:right;"><%= avatar_for user %><%= link_to h(who(user.login)), :controller => 'users', :action => 'show', :id => user %><br /> showed up <%=h distance_of_time_in_words_to_now(user.updated_at) %> ago</li>
<% end -%>
</ul>
</div>
@@ -1,7 +1,7 @@
<li id="<%= user.dom_id %>" class="clear<%= %( deleted) unless user.deleted_at.nil? %><%= %( selected) if @user == user %>" fsdfa>
<%= avatar_for user %>
<h3><%= link_to user.login, :action => 'show', :id => user %></h3>
<%= user.email %>
<h3><%= link_to h(user.login), :action => 'show', :id => user %></h3>
<%=h user.email %>
<% unless user.admin? || user == current_user -%>
<p>
<%= check_box_tag user.dom_id(:user_toggle), user.id, user.deleted_at.nil?, :onclick => "UserForm.toggle(this);" %>
@@ -13,4 +13,4 @@
<%= image_tag 'mephisto/progress.gif', :size => '10x10', :style => 'display:none', :id => "#{user.dom_id}-progress" %>
</p>
<% end -%>
</li>
</li>
@@ -26,7 +26,7 @@
<li><%= link_to 'Logout', { :controller => '/account', :action => 'logout' }, :method => :post %></li>
</ul>

<h1><%= link_to "#{site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1>
<h1><%= link_to "#{h site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1>

<!-- div.nav -->
<div id="nav">
@@ -3,25 +3,25 @@
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<title>Mephisto: <%= controller.controller_name %> Admin</title>
<title>Mephisto: <%=h controller.controller_name %> Admin</title>
<%= stylesheet_link_tag 'mephisto/fullscreen' %>
<%= javascript_include_tag 'mephisto/prototype', 'mephisto/effects', 'mephisto/lowpro', 'mephisto/application' %>
<script type="text/javascript">Mephisto.root = '<%= relative_url_root %>';</script>
</head>
<body id="body-<%= controller.controller_name %>">
<body id="body-<%=h controller.controller_name %>">

<!-- div.header -->
<div id="header">
<h1><%= link_to "#{site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1>
<h1><%= link_to "#{h site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1>
</div>
<!-- /div.header -->

<div id="container">

<!-- div.content -->
<div id="fullscreen">
<div id="flash-errors" style="display: none;"><%= flash[:error] %></div>
<div id="flash-notice" style="display:none"><%= flash[:notice] %></div>
<div id="flash-errors" style="display: none;"><%=h flash[:error] %></div>
<div id="flash-notice" style="display:none"><%=h flash[:notice] %></div>

<!-- div.left -->
<div id="main">

0 comments on commit 7a20455

Please sign in to comment.