From 9d9710538c162cf6c769be76aae316a69a740a5f Mon Sep 17 00:00:00 2001
From: Eric Caron <eric.caron@gmail.com>
Date: Tue, 16 Sep 2014 09:53:50 -0500
Subject: [PATCH] Escaping experiment name in "Use This" situations to make
 sure single-quotes don't cause misnamed experiments to be deemed the winner

---
 lib/split/dashboard/helpers.rb            | 4 ++++
 lib/split/dashboard/views/_experiment.erb | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/split/dashboard/helpers.rb b/lib/split/dashboard/helpers.rb
index c54525f7..f51418c3 100644
--- a/lib/split/dashboard/helpers.rb
+++ b/lib/split/dashboard/helpers.rb
@@ -1,5 +1,9 @@
 module Split
   module DashboardHelpers
+    def h(text)
+      Rack::Utils.escape_html(text)
+    end
+
     def url(*path_parts)
       [ path_prefix, path_parts ].join("/").squeeze('/')
     end
diff --git a/lib/split/dashboard/views/_experiment.erb b/lib/split/dashboard/views/_experiment.erb
index 8409fc2d..c35d9935 100644
--- a/lib/split/dashboard/views/_experiment.erb
+++ b/lib/split/dashboard/views/_experiment.erb
@@ -71,7 +71,7 @@
             <% end %>
           <% else %>
             <form action="<%= url experiment.name %>" method='post' onclick="return confirmWinner()">
-              <input type='hidden' name='alternative' value='<%= alternative.name %>'>
+              <input type='hidden' name='alternative' value='<%= h alternative.name %>'>
               <input type="submit" value="Use this" class="green">
             </form>
           <% end %>