Security: Escape more strings

emk · emk · commit 7a20455fab59 · 2008-12-11T19:05:37.000-05:00
The sqlite3_ruby database adapter does not correctly taint strings unless you first apply this patch: http://rubyforge.org/tracker/index.php?func=detail&aid=20325&group_id=254&atid=1045 With this patch applied, SafeERB finds more errors. These are now fixed. It would be highly desirable to update SafeERB and modify it for production use with Rails 2.2.
diff --git a/app/views/admin/articles/_article.rhtml b/app/views/admin/articles/_article.rhtml
@@ -1,6 +1,6 @@
 <tr class="<%= article.status %>" id="article_<%= article.id %>">
   <td><%= image_tag "mephisto/icons/#{status_icon[article.status][1]}", :class => "#{status_icon[article.status][0]} icon", :title => "This article is #{article.status}", :alt => "#{article.status}" %></td>
-  <td class="article_title"><%= link_to(article.title, {:action => 'edit', :id => article}) %></td>
+  <td class="article_title"><%= link_to(h(article.title), {:action => 'edit', :id => article}) %></td>
   <td class="ccount">
     <% if article.comments.size == 0 %>
       none
diff --git a/app/views/admin/articles/_shared_options.rhtml b/app/views/admin/articles/_shared_options.rhtml
@@ -5,7 +5,7 @@
       <li>
         <%= check_box_tag 'article[section_ids][]', section.id, @article.has_section?(section), 
               :id => "article_section_ids_#{section.id}" %>
-        <label for="article_section_ids_<%= section.id %>"><%= section.name %></label>
+        <label for="article_section_ids_<%= section.id %>"><%=h section.name %></label>
       </li>
     <% end %>
   </ul>
diff --git a/app/views/admin/overview/_comment_event.rhtml b/app/views/admin/overview/_comment_event.rhtml
@@ -1,7 +1,7 @@
 <% with_options :controller => 'articles', :id => event.article_id do |article| -%>
 <li id="event-<%= event.id %>" class="event-comment<%= " shade" if shaded %>">
   <div id="comment-<%= event.comment_id %>">
-    <%= link_to event.article.title, :controller => 'articles', :action => 'comments', :id => event.article_id, :anchor => "comment-#{event.comment_id}" %> received a comment.
+    <%= link_to h(event.article.title), :controller => 'articles', :action => 'comments', :id => event.article_id, :anchor => "comment-#{event.comment_id}" %> received a comment.
   
     <span class="event-time"><%= event_time_for event, later %></span>
     <% unless event.body.blank? -%>
diff --git a/app/views/admin/overview/_create_event.rhtml b/app/views/admin/overview/_create_event.rhtml
@@ -1,5 +1,5 @@
 <li class="event-revision<%= " shade" if shaded %>">
   <span class="event-time"><%= event_time_for event, later %></span>
   <%= link_to h(event.title), :controller => 'articles', :action => 'show', :id => event.article_id %> was created.
-  <span class="meta">by <%= link_to who(event.user.login), :controller => 'users', :action => 'show', :id => event.user %></span>
-</li>
+  <span class="meta">by <%= link_to h(who(event.user.login)), :controller => 'users', :action => 'show', :id => event.user %></span>
+</li>
diff --git a/app/views/admin/overview/_publish_event.rhtml b/app/views/admin/overview/_publish_event.rhtml
@@ -1,5 +1,5 @@
 <li class="event-article<%= " shade" if defined?(shaded) && shaded == true %>">
   <span class="event-time"><%= event_time_for event, later %></span>
   <%= link_to h(event.title), :controller => 'articles', :action => 'edit', :id => event.article_id %> was created.
-  <span class="meta">by <%= link_to who(event.user.login), :controller => 'users', :action => 'show', :id => event.user %></span>
-</li>
+  <span class="meta">by <%= link_to h(who(event.user.login)), :controller => 'users', :action => 'show', :id => event.user %></span>
+</li>
diff --git a/app/views/admin/overview/index.rhtml b/app/views/admin/overview/index.rhtml
@@ -49,7 +49,7 @@
     <h3>Recent activity</h3>
     <ul class="slist" id="activity">
       <% @users.each do |user| -%>
-        <li style="clear:right;"><%= avatar_for user %><%= link_to who(user.login), :controller => 'users', :action => 'show', :id => user %><br /> showed up <%=h distance_of_time_in_words_to_now(user.updated_at) %> ago</li>
+        <li style="clear:right;"><%= avatar_for user %><%= link_to h(who(user.login)), :controller => 'users', :action => 'show', :id => user %><br /> showed up <%=h distance_of_time_in_words_to_now(user.updated_at) %> ago</li>
       <% end -%>
     </ul>
   </div>
diff --git a/app/views/admin/users/_user.rhtml b/app/views/admin/users/_user.rhtml
@@ -1,7 +1,7 @@
 <li id="<%= user.dom_id %>" class="clear<%= %( deleted) unless user.deleted_at.nil? %><%= %( selected) if @user == user %>" fsdfa>
     <%= avatar_for user %>
-    <h3><%= link_to user.login, :action => 'show', :id => user %></h3>
-    <%= user.email %>
+    <h3><%= link_to h(user.login), :action => 'show', :id => user %></h3>
+    <%=h user.email %>
   <% unless user.admin? || user == current_user -%>
     <p>
       <%= check_box_tag user.dom_id(:user_toggle), user.id,  user.deleted_at.nil?, :onclick => "UserForm.toggle(this);" %>
@@ -13,4 +13,4 @@
       <%= image_tag 'mephisto/progress.gif', :size => '10x10', :style => 'display:none', :id => "#{user.dom_id}-progress" %>
     </p>
   <% end -%>
-</li>
+</li>
diff --git a/app/views/layouts/application.rhtml b/app/views/layouts/application.rhtml
@@ -26,7 +26,7 @@
         <li><%= link_to 'Logout', { :controller => '/account', :action => 'logout' }, :method => :post %></li>
       </ul>
 
-      <h1><%= link_to "#{site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1>
+      <h1><%= link_to "#{h site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1>
 
       <!-- div.nav -->  
       <div id="nav">
diff --git a/app/views/layouts/simple.rhtml b/app/views/layouts/simple.rhtml
@@ -3,25 +3,25 @@
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
     <meta http-equiv="Content-type" content="text/html; charset=utf-8" />   
-    <title>Mephisto: <%= controller.controller_name %> Admin</title>
+    <title>Mephisto: <%=h controller.controller_name %> Admin</title>
     <%= stylesheet_link_tag 'mephisto/fullscreen' %>
     <%= javascript_include_tag 'mephisto/prototype', 'mephisto/effects', 'mephisto/lowpro', 'mephisto/application' %>
     <script type="text/javascript">Mephisto.root = '<%= relative_url_root %>';</script>
   </head>
-  <body id="body-<%= controller.controller_name %>">
+  <body id="body-<%=h controller.controller_name %>">
   
       <!-- div.header -->
       <div id="header">
-        <h1><%= link_to "#{site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1>
+        <h1><%= link_to "#{h site.title} &mdash; Admin", { :controller => '/admin/overview' }, :title => "#{site.title} admin" %></h1>
       </div>
       <!-- /div.header -->
         
     <div id="container">    
       
       <!-- div.content -->
       <div id="fullscreen">
-        <div id="flash-errors" style="display: none;"><%= flash[:error] %></div>
-        <div id="flash-notice" style="display:none"><%= flash[:notice] %></div>
+        <div id="flash-errors" style="display: none;"><%=h flash[:error] %></div>
+        <div id="flash-notice" style="display:none"><%=h flash[:notice] %></div>
         
         <!-- div.left -->
         <div id="main">
