aboutsummaryrefslogtreecommitdiffstats
path: root/app
diff options
context:
space:
mode:
authorPhilip Arndt <parndt@gmail.com>2012-08-17 08:27:29 -0700
committerPhilip Arndt <parndt@gmail.com>2012-08-17 08:27:29 -0700
commit06fe63e5f02dc98c0573d497cad145538db97bf2 (patch)
treee309d3eec908a1de3204866409a2cbe84d38ec5a /app
parent9e58e35cf26deb13ef3054cab9a35c76827a448d (diff)
parent9883c149e539cf4700ad2d9cf33ee012dd3bd750 (diff)
downloadrefinerycms-blog-06fe63e5f02dc98c0573d497cad145538db97bf2.tar.gz
refinerycms-blog-06fe63e5f02dc98c0573d497cad145538db97bf2.tar.bz2
refinerycms-blog-06fe63e5f02dc98c0573d497cad145538db97bf2.zip
Merge pull request #266 from Nethemba/for_purists
escape title and tags in templates
Diffstat (limited to 'app')
-rw-r--r--app/views/refinery/blog/posts/_nav.html.erb4
-rw-r--r--app/views/refinery/blog/posts/tagged.html.erb2
2 files changed, 3 insertions, 3 deletions
diff --git a/app/views/refinery/blog/posts/_nav.html.erb b/app/views/refinery/blog/posts/_nav.html.erb
index eafd35e..9e87e6e 100644
--- a/app/views/refinery/blog/posts/_nav.html.erb
+++ b/app/views/refinery/blog/posts/_nav.html.erb
@@ -1,6 +1,6 @@
<nav id="next_prev_article">
<% if @post.next.present? -%>
- <%= link_to (truncate(@post.next.title) + " &#187;").html_safe,
+ <%= link_to (h(truncate(@post.next.title)) + " &#187;").html_safe,
refinery.blog_post_path(@post.next),
:class => 'next' %>
<% end -%>
@@ -10,7 +10,7 @@
:class => 'home' %>
<% if @post.prev.present? -%>
- <%= link_to ("&#171; " + truncate(@post.prev.title)).html_safe,
+ <%= link_to ("&#171; " + h(truncate(@post.prev.title))).html_safe,
refinery.blog_post_path(@post.prev),
:class => 'prev' %>
<% end -%>
diff --git a/app/views/refinery/blog/posts/tagged.html.erb b/app/views/refinery/blog/posts/tagged.html.erb
index c22e55b..89e1415 100644
--- a/app/views/refinery/blog/posts/tagged.html.erb
+++ b/app/views/refinery/blog/posts/tagged.html.erb
@@ -1,6 +1,6 @@
<% content_for :title, "#{t('.posts_tagged')} '#{@tag_name.titleize}'" %>
-<% content_for :body_content_title, "#{t('.posts_tagged')} &#8220;#{@tag_name.titleize}&#8221;".html_safe -%>
+<% content_for :body_content_title, "#{t('.posts_tagged')} &#8220;#{h(@tag_name.titleize)}&#8221;".html_safe -%>
<% content_for :body do %>
<% if @posts.any? %>