diff options
author | Benjamin Kellermann <Benjamin.Kellermann@gmx.de> | 2019-01-07 21:45:08 +0100 |
---|---|---|
committer | Benjamin Kellermann <Benjamin.Kellermann@gmx.de> | 2019-01-07 21:45:08 +0100 |
commit | 4429d6269252a329fa579e19ff1a32ce694a5a4d (patch) | |
tree | d6feac12b6b75f949a4cd5d696d32d2d552fa7a9 | |
parent | 426fc7d872fbbed0a64e015d69c34f399fa450d5 (diff) |
proper output encoding of poll title
-rwxr-xr-x | delete_poll.rb | 2 | ||||
-rw-r--r-- | dudle.rb | 2 | ||||
-rwxr-xr-x | index.cgi | 2 | ||||
-rwxr-xr-x | overview.rb | 2 |
4 files changed, 4 insertions, 4 deletions
diff --git a/delete_poll.rb b/delete_poll.rb index a88ec5d..624567c 100755 --- a/delete_poll.rb +++ b/delete_poll.rb @@ -106,7 +106,7 @@ else end $d.html << "<h2>" + _("Delete this poll") + "</h2>" -$d.html << _("You want to delete the poll named") + " <b>#{$d.table.name}</b>.<br />" +$d.html << _("You want to delete the poll named") + " <b>#{CGI.escapeHTML($d.table.name)}</b>.<br />" $d.html << _("This is an irreversible action!") + "<br />" $d.html << _("If you are sure that you want to permanently remove this poll, please type “%{question}” into the form.") % {:question => QUESTIONS[confirm]} deletestr = _("Delete") @@ -180,7 +180,7 @@ HEAD <div id='main'> #{tabs_to_html(@tab)} <div id='content'> - <h1 id='polltitle'>#{@title}</h1> + <h1 id='polltitle'>#{CGI.escapeHTML(@title)}</h1> HEAD @@ -60,7 +60,7 @@ if $cgi.include?("create_poll") && $cgi.include?("poll_url") File.open(f,"w").close VCS.add(f) } - Poll.new(CGI.escapeHTML(polltitle),$cgi["poll_type"]) + Poll.new(polltitle,$cgi["poll_type"]) Dir.chdir("..") $d.html.header["status"] = "REDIRECT" $d.html.header["Cache-Control"] = "no-cache" diff --git a/overview.rb b/overview.rb index 31cf7d0..d6658e7 100755 --- a/overview.rb +++ b/overview.rb @@ -40,7 +40,7 @@ $d << <<END #{sendlink} <ul> <li><input id="humanReadableURL" value="#{$conf.siteurl}" type="text" size="80" readonly="readonly"></li> - <li><a id="mailtoURL" href='mailto:?subject=#{CGI.escapeHTML(CGI.escape(subjectstr).gsub("+","%20"))}&body=#{$conf.siteurl}'>#{mailstr}</a></li> + <li><a id="mailtoURL" href='mailto:?subject=#{CGI.escape(subjectstr).gsub("+","%20")}&body=#{$conf.siteurl}'>#{mailstr}</a></li> </ul> </li> <li> |