Web Style Tweaks are CDATA

Make sure they're properly escaped.
2008-02-29 02:40:22 -06:00 · 2008-02-29 02:40:22 -06:00 · ad620f63d3
parent 9b7b6fb805
commit ad620f63d3
2 changed files with 3 additions and 3 deletions
--- a/app/views/admin/edit_web.rhtml
+++ b/app/views/admin/edit_web.rhtml
@ -69,7 +69,7 @@
    tags.</em>
    <br/>
    <textarea id="additionalStyle" class="disableAutoComplete" cols="50" rows="20"
-      style="display:none" name="additional_style"><%= @web.additional_style %>
+      style="display:none" name="additional_style"><%= h(@web.additional_style) %>
    </textarea>
  </div>

--- a/app/views/layouts/default.rhtml
+++ b/app/views/layouts/default.rhtml
@ -26,10 +26,10 @@

  <%= stylesheet_link_tag 'instiki' unless @inline_style %>

-  <style type="text/css">
+  <style type="text/css"><!--/*--><![CDATA[/*><!--*/
    <%= @style_additions %>
    <%= @web ? @web.additional_style : '' %>
-  </style>
+  /*]]>*/--></style>
  <%= javascript_include_tag :defaults %>
  <% if @web %>
  	<%= auto_discovery_link_tag(:atom, :controller => 'wiki', :web => @web.address, :action => 'atom_with_headlines') %>