aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_view
diff options
context:
space:
mode:
authorDan Barry <dan@bakineggs.com>2009-03-07 18:55:12 +0000
committerPratik Naik <pratiknaik@gmail.com>2009-03-07 18:55:19 +0000
commit45494580d9405e80ba124d17c8379436883c8c78 (patch)
treeb91c10bec39824e16b2c3c5688aa9f9212e0aa07 /actionpack/lib/action_view
parentdf8669d4b5691646ca8bb4ba01f6e5348ae8dd69 (diff)
downloadrails-45494580d9405e80ba124d17c8379436883c8c78.tar.gz
rails-45494580d9405e80ba124d17c8379436883c8c78.tar.bz2
rails-45494580d9405e80ba124d17c8379436883c8c78.zip
Ensure Active Record error related view helpers escape the message [#1280 state:resolved] [Inge Jørgensen, Dan Barry]
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
Diffstat (limited to 'actionpack/lib/action_view')
-rw-r--r--actionpack/lib/action_view/helpers/active_record_helper.rb4
1 files changed, 2 insertions, 2 deletions
diff --git a/actionpack/lib/action_view/helpers/active_record_helper.rb b/actionpack/lib/action_view/helpers/active_record_helper.rb
index 8b56d241ae..541899ea6a 100644
--- a/actionpack/lib/action_view/helpers/active_record_helper.rb
+++ b/actionpack/lib/action_view/helpers/active_record_helper.rb
@@ -121,7 +121,7 @@ module ActionView
if (obj = (object.respond_to?(:errors) ? object : instance_variable_get("@#{object}"))) &&
(errors = obj.errors.on(method))
content_tag("div",
- "#{options[:prepend_text]}#{errors.is_a?(Array) ? errors.first : errors}#{options[:append_text]}",
+ "#{options[:prepend_text]}#{ERB::Util.html_escape(errors.is_a?(Array) ? errors.first : errors)}#{options[:append_text]}",
:class => options[:css_class]
)
else
@@ -198,7 +198,7 @@ module ActionView
locale.t :header, :count => count, :model => object_name
end
message = options.include?(:message) ? options[:message] : locale.t(:body)
- error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, msg) } }.join
+ error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, ERB::Util.html_escape(msg)) } }.join
contents = ''
contents << content_tag(options[:header_tag] || :h2, header_message) unless header_message.blank?