summaryrefslogtreecommitdiff
path: root/app/views/custom
diff options
context:
space:
mode:
authorhukl <contact@smyck.org>2009-10-17 13:56:01 +0200
committerhukl <contact@smyck.org>2009-10-17 13:56:01 +0200
commitc36132551b62e7d249948712d6dc47be614c28a5 (patch)
tree03d259bc98c11defc0ab36e961f1d95d335833e4 /app/views/custom
parentb7c233271b072ba408bfa9e9e8cc6fde7726c558 (diff)
added sanitize statements to hopefully all critical templates to protect against cross site scripting.
added section to environment.rb listing the whitelisted tags and attributes and examples on how to extend the list
Diffstat (limited to 'app/views/custom')
-rw-r--r--app/views/custom/page_templates/public/no_date_and_author.html.erb2
-rw-r--r--app/views/custom/page_templates/public/standard_template.html.erb2
2 files changed, 2 insertions, 2 deletions
diff --git a/app/views/custom/page_templates/public/no_date_and_author.html.erb b/app/views/custom/page_templates/public/no_date_and_author.html.erb
index 08911ff..ef60961 100644
--- a/app/views/custom/page_templates/public/no_date_and_author.html.erb
+++ b/app/views/custom/page_templates/public/no_date_and_author.html.erb
@@ -1,7 +1,7 @@
1<div class="article"> 1<div class="article">
2 <h2><%= @page.title %></h2> 2 <h2><%= @page.title %></h2>
3 <hr class="subtitle" /> 3 <hr class="subtitle" />
4 <p><em><%= @page.abstract %></em></p> 4 <p><em><%= sanitize( @page.abstract ) %></em></p>
5 <div id="headline_image"><%= headline_image %></div> 5 <div id="headline_image"><%= headline_image %></div>
6 <%= aggregate?(@page.body) %> 6 <%= aggregate?(@page.body) %>
7</div> 7</div>
diff --git a/app/views/custom/page_templates/public/standard_template.html.erb b/app/views/custom/page_templates/public/standard_template.html.erb
index 9ce3e94..d4c80aa 100644
--- a/app/views/custom/page_templates/public/standard_template.html.erb
+++ b/app/views/custom/page_templates/public/standard_template.html.erb
@@ -2,7 +2,7 @@
2 <h2><%= @page.title %></h2> 2 <h2><%= @page.title %></h2>
3 <h3><%= date_for_page @page %>, <%= @page.user.try(:login) %></h3> 3 <h3><%= date_for_page @page %>, <%= @page.user.try(:login) %></h3>
4 <hr class="subtitle" /> 4 <hr class="subtitle" />
5 <p><em><%= @page.abstract %></em></p> 5 <p><em><%= sanitize( @page.abstract )%></em></p>
6 <div id="headline_image"><%= headline_image %></div> 6 <div id="headline_image"><%= headline_image %></div>
7 <%= aggregate?(@page.body) %> 7 <%= aggregate?(@page.body) %>
8</div> 8</div>