Fix Two XSS Vulnerabilities

Unescaped  page names (in 'edit' an 'new' views).
Unsanitized HTTP_CLIENT_IP header.

app/controllers/wiki_controller.rb

@@ -2,6 +2,7 @@ require 'fileutils'
 require 'redcloth_for_tex'
 require 'parsedate'
 require 'zip/zip'
+require 'resolv'
 
 class WikiController < ApplicationController
 
@@ -381,7 +382,7 @@ class WikiController < ApplicationController
   def remote_ip
     ip = request.remote_ip
     logger.info(ip)
-    ip
+    ip.gsub!(Regexp.union(Resolv::IPv4::Regex, Resolv::IPv6::Regex), '\0') || 'bogus address'
   end
 
   def render_rss(hide_description = false, limit = 15, start_date = nil, end_date = nil)

app/models/page.rb

@@ -77,7 +77,7 @@ class Page < ActiveRecord::Base
 
   # Returns the original wiki-word name as separate words, so "MyPage" becomes "My Page".
   def plain_name
-    web.brackets_only? ? name : WikiWords.separate(name)
+    web.brackets_only? ? CGI.escapeHTML(name) : CGI.escapeHTML(WikiWords.separate(name))
   end
 
   LOCKING_PERIOD = 30.minutes

app/views/wiki/edit.rhtml

@@ -1,5 +1,5 @@
 <% 
-  @title = "Editing #{@page.name}"
+  @title = "Editing #{CGI.escapeHTML(@page.name)}"
   @content_width = 720
   @hide_navigation = true
 %>

app/views/wiki/new.rhtml

@@ -1,5 +1,5 @@
 <% 
-  @title = "Creating #{WikiWords.separate(@page_name)}"
+  @title = "Creating #{CGI.escapeHTML(WikiWords.separate(@page_name))}"
   @content_width = 720
   @hide_navigation = true
 %>