Fixed XSS vulnerability in helper method.

fatfreecrm · Sep 2, 2014 · 29a8c83 · 29a8c83
1 parent 827bfc9
commit 29a8c83
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -413,8 +413,8 @@ def col(title, value, last = false, email = false)
       else
         fmt_value.gsub(/((http|ftp|https):\/\/[\w\-_]+(\.[\w\-_]+)+([\w\-\.,@?^=%&amp;:\/\+#]*[\w\-\@?^=%&amp;\/\+#])?)/, "<a href=\"\\1\">\\1</a>")
       end
-    %Q^<th#{last ? " class=\"last\"" : ""}>#{title}:</th>
-  <td#{last ? " class=\"last\"" : ""}>#{fmt_value}</td>^.html_safe
+    %Q^<th#{last ? " class=\"last\"" : ""}>#{h title}:</th>
+  <td#{last ? " class=\"last\"" : ""}>#{h fmt_value}</td>^.html_safe
   end
 
   #----------------------------------------------------------------------------