diff options
| author | hukl <contact@smyck.org> | 2009-10-17 13:56:01 +0200 |
|---|---|---|
| committer | hukl <contact@smyck.org> | 2009-10-17 13:56:01 +0200 |
| commit | c36132551b62e7d249948712d6dc47be614c28a5 (patch) | |
| tree | 03d259bc98c11defc0ab36e961f1d95d335833e4 /app/views/custom | |
| parent | b7c233271b072ba408bfa9e9e8cc6fde7726c558 (diff) | |
added sanitize statements to hopefully all critical templates to protect against cross site scripting.
added section to environment.rb listing the whitelisted tags and attributes and examples on how to extend the list
Diffstat (limited to 'app/views/custom')
| -rw-r--r-- | app/views/custom/page_templates/public/no_date_and_author.html.erb | 2 | ||||
| -rw-r--r-- | app/views/custom/page_templates/public/standard_template.html.erb | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/app/views/custom/page_templates/public/no_date_and_author.html.erb b/app/views/custom/page_templates/public/no_date_and_author.html.erb index 08911ff..ef60961 100644 --- a/app/views/custom/page_templates/public/no_date_and_author.html.erb +++ b/app/views/custom/page_templates/public/no_date_and_author.html.erb | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | <div class="article"> | 1 | <div class="article"> |
| 2 | <h2><%= @page.title %></h2> | 2 | <h2><%= @page.title %></h2> |
| 3 | <hr class="subtitle" /> | 3 | <hr class="subtitle" /> |
| 4 | <p><em><%= @page.abstract %></em></p> | 4 | <p><em><%= sanitize( @page.abstract ) %></em></p> |
| 5 | <div id="headline_image"><%= headline_image %></div> | 5 | <div id="headline_image"><%= headline_image %></div> |
| 6 | <%= aggregate?(@page.body) %> | 6 | <%= aggregate?(@page.body) %> |
| 7 | </div> | 7 | </div> |
diff --git a/app/views/custom/page_templates/public/standard_template.html.erb b/app/views/custom/page_templates/public/standard_template.html.erb index 9ce3e94..d4c80aa 100644 --- a/app/views/custom/page_templates/public/standard_template.html.erb +++ b/app/views/custom/page_templates/public/standard_template.html.erb | |||
| @@ -2,7 +2,7 @@ | |||
| 2 | <h2><%= @page.title %></h2> | 2 | <h2><%= @page.title %></h2> |
| 3 | <h3><%= date_for_page @page %>, <%= @page.user.try(:login) %></h3> | 3 | <h3><%= date_for_page @page %>, <%= @page.user.try(:login) %></h3> |
| 4 | <hr class="subtitle" /> | 4 | <hr class="subtitle" /> |
| 5 | <p><em><%= @page.abstract %></em></p> | 5 | <p><em><%= sanitize( @page.abstract )%></em></p> |
| 6 | <div id="headline_image"><%= headline_image %></div> | 6 | <div id="headline_image"><%= headline_image %></div> |
| 7 | <%= aggregate?(@page.body) %> | 7 | <%= aggregate?(@page.body) %> |
| 8 | </div> | 8 | </div> |
