HTML-escaping of error and info messages

app/controllers/application.rb

@@ -106,6 +106,21 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def rescue_action_in_public(exception)
+    render_text <<-EOL
+      <html>
+        <body>
+          <p>There was a controller specific error processing your request.</p>
+          <!-- \n#{exception}\n#{exception.backtrace.join("\n")}\n  -->
+        </body>
+      </html>
+    EOL
+  end
+  
+  def local_request?
+    false
+  end
+
   def return_to_last_remembered
     # Forget the redirect location
     redirect_target, @session[:return_to] = @session[:return_to], nil

app/controllers/wiki_controller.rb

@@ -205,9 +205,9 @@ class WikiController < ApplicationController
       # the application itself (for application errors, it's better not to rescue the error at all)
       rescue => e
         logger.error e
+        flash[:error] = e.message
         if in_a_web?
-          redirect_to :web => @web_name, :action => 'edit',
+          redirect_to :web => @web_name, :action => 'edit', :id => @page_name
-              :action_suffix => "#{@page_name}?msg=#{e.message}"
         else
           raise e
         end

app/views/layouts/default.rhtml

@@ -61,11 +61,11 @@ PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   </h1>
 
 <% if @error or @flash[:error] %> <div id="error">
-    <hr/><p><%= (@error || @flash[:error]) %></p><hr/></div>
+    <hr/><p><%= h(@error || @flash[:error]) %></p><hr/></div>
 <% end %>
 
 <% if @flash[:info] %> <div id="info">
-    <hr/><p><%= @flash[:info].to_s %></p><hr/></div>
+    <hr/><p><%= h @flash[:info] %></p><hr/></div>
 <% end %>
 
 <%= render 'navigation' unless @web.nil? || @hide_navigation %>