diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-05-26 15:58:51 -0300 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-05-26 15:58:51 -0300 |
| commit | 505a263c3579784ae9af7aa1d81aaaedfbfeda96 (patch) | |
| tree | 9047da380bdafe936f1d44bb714637ec4c04345b /actionpack | |
| parent | 6ed161e3fddd9f10e5a7446355df3f9d9f26b4aa (diff) | |
| download | rails-505a263c3579784ae9af7aa1d81aaaedfbfeda96.tar.gz rails-505a263c3579784ae9af7aa1d81aaaedfbfeda96.tar.bz2 rails-505a263c3579784ae9af7aa1d81aaaedfbfeda96.zip | |
Escape user input before showing in the page.
This is not a security issue since this page is not present in
production and user have to type something in the field but is better to
escape the input.
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb b/actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb index cce0d75af4..6ffa242da4 100644 --- a/actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb +++ b/actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb @@ -148,8 +148,8 @@ // On key press perform a search for matching paths searchElem.onkeyup = function(e){ var userInput = searchElem.value, - defaultExactMatch = '<tr><th colspan="4">Paths Matching (' + sanitizePath(userInput) +'):</th></tr>', - defaultFuzzyMatch = '<tr><th colspan="4">Paths Containing (' + userInput +'):</th></tr>', + defaultExactMatch = '<tr><th colspan="4">Paths Matching (' + escape(sanitizePath(userInput)) +'):</th></tr>', + defaultFuzzyMatch = '<tr><th colspan="4">Paths Containing (' + escape(userInput) +'):</th></tr>', noExactMatch = '<tr><th colspan="4">No Exact Matches Found</th></tr>', noFuzzyMatch = '<tr><th colspan="4">No Fuzzy Matches Found</th></tr>'; |