Make sure author is escaped.

stefansundin · Dec 4, 2016 · 23a6c11 · 23a6c11
1 parent 210d378
commit 23a6c11
Show file tree

Hide file tree

Showing 13 changed files with 13 additions and 13 deletions.
diff --git a/views/dailymotion_feed.erb b/views/dailymotion_feed.erb
@@ -13,7 +13,7 @@
     <title>[<%= video["duration"].to_duration %>] <%= video["title"].to_line.esc %></title>
     <link href="https://www.dailymotion.com/video/<%= video["id"] %>" />
     <updated><%= Time.at(video["created_time"]) %></updated>
-    <author><name><%= @screenname %></name></author>
+    <author><name><%= @screenname.esc %></name></author>
     <content type="html">
 <%= <<-EOF.undent.esc
   <iframe width="480" height="270" scrolling="no" frameborder="no" src="https://www.dailymotion.com/embed/video/#{video["id"]}" allowfullscreen></iframe>

diff --git a/views/facebook_feed.erb b/views/facebook_feed.erb
@@ -64,7 +64,7 @@ end
 %></title>
     <link href="<%= link.esc %>" />
     <updated><%= Time.parse(post["updated_time"]) %></updated>
-    <author><name><%= post["from"]["name"] %></name></author>
+    <author><name><%= post["from"]["name"].esc %></name></author>
     <content type="html">
 <%= "<p><em>#{post["story"]}</em></p>".esc if post["story"] %>
 <%= (post["message"] || post["description"]).linkify.to_paragraphs.esc %>

diff --git a/views/googleplus_feed.erb b/views/googleplus_feed.erb
@@ -13,7 +13,7 @@
     <title><%= post["title"].to_line.esc %></title>
     <link href="<%= post["url"].esc %>" />
     <updated><%= Time.parse(post["updated"]) %></updated>
-    <author><name><%= post["actor"]["displayName"] %></name></author>
+    <author><name><%= post["actor"]["displayName"].esc %></name></author>
     <content type="html">
 <%= post["object"]["content"].to_paragraphs(/<br[ \/]*>/).esc %>
 <%- if post["object"]["attachments"] -%>

diff --git a/views/imgur_feed.erb b/views/imgur_feed.erb
@@ -41,7 +41,7 @@
     <link href="<%= link.esc %>" />
     <link href="<%= img_src.esc %>" rel="enclosure" />
     <updated><%= Time.at(image["datetime"].to_i) %></updated>
-    <author><name><%= @username %></name></author>
+    <author><name><%= @username.esc %></name></author>
     <content type="html">
 <%= body -%>
     </content>

diff --git a/views/instagram_feed.erb b/views/instagram_feed.erb
@@ -24,7 +24,7 @@
     <title><%= "Video: " if post["is_video"] %><%= post["caption"].to_line.esc rescue "No title" %></title>
     <link href="https://www.instagram.com/p/<%= post["code"] %>/" />
     <updated><%= Time.at(post["date"]) %></updated>
-    <author><name><%= @data["full_name"] %></name></author>
+    <author><name><%= @data["full_name"].esc %></name></author>
     <content type="html">
 <%=
 if post["is_video"]

diff --git a/views/mixcloud_feed.erb b/views/mixcloud_feed.erb
@@ -13,7 +13,7 @@
     <title>[<%= track["audio_length"].to_duration %>] <%= track["name"].to_line.esc %></title>
     <link href="<%= track["url"].esc %>" />
     <updated><%= Time.parse(track["created_time"]) %></updated>
-    <author><name><%= track["user"]["username"] %></name></author>
+    <author><name><%= track["user"]["username"].esc %></name></author>
     <content type="html">
 <%=
 <<-EOF.undent.esc

diff --git a/views/periscope_feed.erb b/views/periscope_feed.erb
@@ -13,7 +13,7 @@
     <title><%= post["status"].to_line.esc %></title>
     <link href="https://www.periscope.tv/<%= "#{post["username"]}/#{post["id"]}" %>" />
     <updated><%= Time.parse(post["created_at"]) %></updated>
-    <author><name><%= post["user_display_name"] %></name></author>
+    <author><name><%= post["user_display_name"].esc %></name></author>
     <content type="html">
 <%= <<-EOF.undent.esc
   <p><em>Live in #{post["city"]}.</em></p>

diff --git a/views/soundcloud_feed.erb b/views/soundcloud_feed.erb
@@ -13,7 +13,7 @@
     <title>[<%= (track["duration"] / 1000).to_duration %>] <%= track["title"].to_line.esc %></title>
     <link href="<%= track["permalink_url"].esc %>" />
     <updated><%= Time.parse(track["created_at"]) %></updated>
-    <author><name><%= track["user"]["username"] %></name></author>
+    <author><name><%= track["user"]["username"].esc %></name></author>
     <content type="html">
 &lt;iframe width="100%" height="185" scrolling="no" frameborder="no" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/<%= track["id"] %>">&lt;/iframe>
 

diff --git a/views/twitch_feed.erb b/views/twitch_feed.erb
@@ -13,7 +13,7 @@
     <title><%= "* " if video["broadcast_type"] == "highlight" %>[<%= video["length"].to_i.to_duration %>] <%= video["title"].to_line.esc %></title>
     <link href="<%= "https://www.twitch.tv/#{video["channel"]["name"]}/v/#{video["_id"][1..-1]}" %>" />
     <updated><%= Time.parse(video["created_at"]) %></updated>
-    <author><name><%= video["channel"]["display_name"] %></name></author>
+    <author><name><%= video["channel"]["display_name"].esc %></name></author>
     <content type="html">
 <%= <<-EOF.undent.esc
   <p><em>#{video["channel"]["display_name"]} was #{video["game"] ? "playing #{video["game"]}" : "live"}.</em></p>

diff --git a/views/twitter_feed.erb b/views/twitter_feed.erb
@@ -52,7 +52,7 @@
     <title><%= title.to_line.esc %></title>
     <link href="https://twitter.com/<%= @username %>/status/<%= tweet["id_str"] %>" />
     <updated><%= Time.parse(tweet["created_at"]) %></updated>
-    <author><name><%= @username %></name></author>
+    <author><name><%= @username.esc %></name></author>
     <content type="html">
 <%= body.to_paragraphs.esc %>
     </content>

diff --git a/views/ustream_feed.erb b/views/ustream_feed.erb
@@ -13,7 +13,7 @@
     <title>[<%= video["length"].to_i.to_duration %>] <%= video["title"].to_line.esc %></title>
     <link href="<%= video["url"].esc %>" />
     <updated><%= Time.at(video["created_at"]) %></updated>
-    <author><name><%= video["owner"]["username"] %></name></author>
+    <author><name><%= video["owner"]["username"].esc %></name></author>
     <content type="html">
 &lt;iframe width="480" height="270" scrolling="no" frameborder="no" src="https://www.ustream.tv/embed/recorded/<%= video["id"] %>?html5ui" allowfullscreen>&lt;/iframe>
 

diff --git a/views/vine_feed.erb b/views/vine_feed.erb
@@ -20,7 +20,7 @@
     <title><%= title.to_line.esc %></title>
     <link href="<%= post["permalinkUrl"].esc %>" />
     <updated><%= Time.parse(post["created"]) %></updated>
-    <author><name><%= post["username"] %></name></author>
+    <author><name><%= post["username"].esc %></name></author>
     <content type="html">
 <%= <<-EOF.undent.esc
   <iframe width="600" height="600" scrolling="no" frameborder="no" src="#{post["permalinkUrl"]}/embed/simple" allowfullscreen></iframe>

diff --git a/views/youtube_feed.erb b/views/youtube_feed.erb
@@ -31,7 +31,7 @@
     <title><%= title.esc %></title>
     <link href="https://www.youtube.com/watch?v=<%= video["id"] %>" />
     <updated><%= updated %></updated>
-    <author><name><%= @username %></name></author>
+    <author><name><%= @username.esc %></name></author>
     <content type="html">
 <%= <<-EOF.undent.esc
   <iframe width="640" height="360" src="https://www.youtube.com/embed/#{video["id"]}?rel=0" frameborder="0" scrolling="no" allowfullscreen></iframe>