Further prevent unlikely XSS entry points. Note that no code was actu…

…ally being executed so there was no security risk, but it could have possibly made the display on the dashboard and the email go a tiny bit funny.
refinery · Mar 5, 2010 · d29a17e · d29a17e
1 parent c742abd
commit d29a17e
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/vendor/plugins/dashboard/app/helpers/admin/dashboard_helper.rb b/vendor/plugins/dashboard/app/helpers/admin/dashboard_helper.rb
@@ -2,7 +2,7 @@ module Admin::DashboardHelper
 
   def activity_message_for(record)
     if (activity = Refinery::Plugins.active.find_activity_by_model(record.class)).present? and activity.title.present?
-      title = record.send activity.title
+      title = h(record.send activity.title)
       link = link_to  truncate(title.to_s, :length => 45),
                       eval("#{activity.url}(#{activity.nesting("record")}record)"),
                       :title => "See '#{title}'"

diff --git a/vendor/plugins/inquiries/app/views/inquiry_mailer/confirmation.html.erb b/vendor/plugins/inquiries/app/views/inquiry_mailer/confirmation.html.erb
@@ -1 +1 @@
-<%= InquirySetting.confirmation_body.value.gsub("%name%", @inquiry.name) %>
+<%= InquirySetting.confirmation_body.value.gsub("%name%", h(@inquiry.name)) %>