HTML-escaping of error and info messages

2005-05-09 04:31:02 +00:00 · 2005-05-09 04:31:02 +00:00 · 7be6cbecba
commit 7be6cbecba
parent 757e58b94f
3 changed files with 19 additions and 4 deletions
--- a/app/views/layouts/default.rhtml
+++ b/app/views/layouts/default.rhtml
@ -61,11 +61,11 @@ PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  </h1>

 <% if @error or @flash[:error] %> <div id="error">
-    <hr/><p><%= (@error || @flash[:error]) %></p><hr/></div>
+    <hr/><p><%= h(@error || @flash[:error]) %></p><hr/></div>
 <% end %>

 <% if @flash[:info] %> <div id="info">
-    <hr/><p><%= @flash[:info].to_s %></p><hr/></div>
+    <hr/><p><%= h @flash[:info] %></p><hr/></div>
 <% end %>

 <%= render 'navigation' unless @web.nil? || @hide_navigation %>