Fixes a nasty security vuln. Thx to Tie Fighter for noticing it

publify · Dec 17, 2009 · 27400fe · 27400fe
1 parent 404982f
commit 27400fe
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/app/controllers/admin/feedback_controller.rb b/app/controllers/admin/feedback_controller.rb
@@ -97,7 +97,7 @@ def update
   def preview
     feedback = Feedback.find(params[:id])
     render(:update) do |page|
-      page.replace_html("feedback_#{feedback.id}", feedback.body)
+      page.replace_html("feedback_#{feedback.id}", h(feedback.body))
     end
 
   end

diff --git a/app/views/admin/feedback/article.html.erb b/app/views/admin/feedback/article.html.erb
@@ -13,7 +13,7 @@
       <p><strong><%= mail_to h(comment.email), h(comment.author) %></strong> |
       <%= link_to_unless comment.url.blank?, h(comment.url), comment.url %> | 
       IP: <%=h comment.ip %></p>
-      <%= comment.body %>
+      <%= h(comment.body) %>
       <p>
         <%= comment.created_at.strftime("%m/%d/%Y %H:%M") %> – [ 
         <%= link_to_edit _("Edit"), comment %> |