diff options
author | Lukas Matt <lukas@zauberstuhl.de> | 2014-04-28 18:01:44 +0400 |
---|---|---|
committer | Lukas Matt <lukas@zauberstuhl.de> | 2014-05-15 15:23:44 +0400 |
commit | 462a7116de711777794fb41b73934593124c5ad6 (patch) | |
tree | 12b953de16939fab1b8451fac80ba2c6b59a7e06 | |
parent | 7ef802127e4e05163315c6e4bc153a9437293898 (diff) |
Fixed possible XSS; escape comment text in report helper
-rw-r--r-- | app/helpers/report_helper.rb | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/app/helpers/report_helper.rb b/app/helpers/report_helper.rb index 3d8ee929b..370981314 100644 --- a/app/helpers/report_helper.rb +++ b/app/helpers/report_helper.rb @@ -8,7 +8,9 @@ module ReportHelper when 'post' t('report.post_label', title: link_to(post_page_title(Post.find_by_id(id)), post_path(id))) when 'comment' - t('report.comment_label', data: comment_message(Comment.find_by_id(id))) + # comment_message is not html_safe. To prevent + # cross-site-scripting we have to escape html + t('report.comment_label', data: h(comment_message(Comment.find_by_id(id)))) end end end |