Fix HTML escaping properly - warvox - VoIP based wardialing tool, forked from rapid7/warvox.
DIR Log
DIR Files
DIR Refs
DIR README
---
DIR commit 70379df629033bdd61080eba61894c2e9b745c62
DIR parent aee6346ab4227e65a5cc0cf26636bd465e72a5cd
HTML Author: HD Moore <hd_moore@rapid7.com>
Date: Tue, 1 Jan 2013 21:16:42 -0600
Fix HTML escaping properly
Diffstat:
M app/helpers/application_helper.rb | 10 +++++-----
M app/views/jobs/index.html.erb | 2 +-
M app/views/layouts/application.html… | 4 ++--
3 files changed, 8 insertions(+), 8 deletions(-)
---
DIR diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -28,11 +28,11 @@ module ApplicationHelper
ttip = raw("<div class='task_args_formatted'>")
info.each_pair do |k,v|
- ttip << raw("<div class='task_args_var'>") + k.to_s.html_safe + raw(": </div> ")
- ttip << raw("<div class='task_args_val'>") + v.to_s.html_safe + raw(" </div>")
+ ttip << raw("<div class='task_args_var'>") + h(k.to_s) + raw(": </div> ")
+ ttip << raw("<div class='task_args_val'>") + h(v.to_s) + raw(" </div>")
end
ttip << raw("</div>\n")
- outp = raw("<a href='#' rel='tooltip' title=\"#{ttip}\" data-html='true'>#{job.task.capitalize.html_safe}</a>")
+ outp = raw("<a href='#' rel='tooltip' title=\"#{ttip}\" data-html='true'>#{h job.task.capitalize}</a>")
outp
rescue ::Exception => e
job.status.to_s.capitalize
@@ -42,8 +42,8 @@ module ApplicationHelper
def format_job_status(job)
case job.status
when 'error'
- ttip = job.error.to_s.html_safe
- outp = raw("<a href='#' rel='tooltip' title=\"#{ttip}\" data-html='true'>#{job.status.capitalize.html_safe}</a>")
+ ttip = h(job.error.to_s)
+ outp = raw("<a href='#' rel='tooltip' title=\"#{ttip}\" data-html='true'>#{h job.status.capitalize}</a>")
outp
else
job.status.to_s.capitalize
DIR diff --git a/app/views/jobs/index.html.erb b/app/views/jobs/index.html.erb
@@ -90,7 +90,7 @@
<td><%= format_job_status(job) %></td>
<td><%= job.created_at.localtime.strftime("%Y-%m-%d %H:%M:%S %Z") %></td>
<td><%= job.completed_at ? job.completed_at.localtime.strftime("%Y-%m-%d %H:%M:%S %Z") : "incomplete" %></td>
- <td><%= link_to( truncate(job.project.name, :length => 25).html_safe, project_path(job.project)) %></td>
+ <td><%= link_to( h(truncate(job.project.name, :length => 25)), project_path(job.project)) %></td>
</tr>
<% end %>
</table>
DIR diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
@@ -36,7 +36,7 @@
<%= link_to(
raw(
'<i class="icon-chevron-left icon-white"></i> ' +
- truncate(@project.name, :length => 20).html_safe +
+ h(truncate(@project.name, :length => 20)) +
' <i class="icon-chevron-right icon-white"></i>'), project_path(@project), :class => 'project-title') %>
</li>
<%= menu_item "Results", calls_path(@project) %>
@@ -53,7 +53,7 @@
<%= drop_down_divider %>
<%= drop_down_header "Recent Projects" %>
<% Project.find(:all, :order => 'ID DESC', :limit => 5).each do |project| %>
- <%= menu_item raw('<i class="icon-chevron-right"></i> ' + truncate(project.name, :length => 15).html_safe),project_path(project) %>
+ <%= menu_item raw('<i class="icon-chevron-right"></i> ' + h(truncate(project.name, :length => 15))),project_path(project) %>
<% end %>
<% end %>
<% end %>