diff options
| author | Dan Barry <dan@bakineggs.com> | 2009-03-07 18:55:12 +0000 |
|---|---|---|
| committer | Pratik Naik <pratiknaik@gmail.com> | 2009-03-07 18:55:19 +0000 |
| commit | 45494580d9405e80ba124d17c8379436883c8c78 (patch) | |
| tree | b91c10bec39824e16b2c3c5688aa9f9212e0aa07 /actionpack/lib/action_view | |
| parent | df8669d4b5691646ca8bb4ba01f6e5348ae8dd69 (diff) | |
| download | rails-45494580d9405e80ba124d17c8379436883c8c78.tar.gz rails-45494580d9405e80ba124d17c8379436883c8c78.tar.bz2 rails-45494580d9405e80ba124d17c8379436883c8c78.zip | |
Ensure Active Record error related view helpers escape the message [#1280 state:resolved] [Inge Jørgensen, Dan Barry]
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
Diffstat (limited to 'actionpack/lib/action_view')
| -rw-r--r-- | actionpack/lib/action_view/helpers/active_record_helper.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/actionpack/lib/action_view/helpers/active_record_helper.rb b/actionpack/lib/action_view/helpers/active_record_helper.rb index 8b56d241ae..541899ea6a 100644 --- a/actionpack/lib/action_view/helpers/active_record_helper.rb +++ b/actionpack/lib/action_view/helpers/active_record_helper.rb @@ -121,7 +121,7 @@ module ActionView if (obj = (object.respond_to?(:errors) ? object : instance_variable_get("@#{object}"))) && (errors = obj.errors.on(method)) content_tag("div", - "#{options[:prepend_text]}#{errors.is_a?(Array) ? errors.first : errors}#{options[:append_text]}", + "#{options[:prepend_text]}#{ERB::Util.html_escape(errors.is_a?(Array) ? errors.first : errors)}#{options[:append_text]}", :class => options[:css_class] ) else @@ -198,7 +198,7 @@ module ActionView locale.t :header, :count => count, :model => object_name end message = options.include?(:message) ? options[:message] : locale.t(:body) - error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, msg) } }.join + error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, ERB::Util.html_escape(msg)) } }.join contents = '' contents << content_tag(options[:header_tag] || :h2, header_message) unless header_message.blank? |