proper output encoding of poll title

4 files changed, 4 insertions, 4 deletions

diff --git a/delete_poll.rb b/delete_poll.rb
index a88ec5d..624567c 100755
--- a/delete_poll.rb
+++ b/delete_poll.rb
@@ -106,7 +106,7 @@ else
 end
 
 $d.html << "<h2>" + _("Delete this poll") + "</h2>"
-$d.html << _("You want to delete the poll named") + " <b>#{$d.table.name}</b>.<br />"
+$d.html << _("You want to delete the poll named") + " <b>#{CGI.escapeHTML($d.table.name)}</b>.<br />"
 $d.html << _("This is an irreversible action!") + "<br />"
 $d.html << _("If you are sure that you want to permanently remove this poll, please type “%{question}” into the form.") % {:question => QUESTIONS[confirm]}
 deletestr = _("Delete")
diff --git a/dudle.rb b/dudle.rb
index 210c367..53edbae 100644
--- a/dudle.rb
+++ b/dudle.rb
@@ -180,7 +180,7 @@ HEAD
 <div id='main'>
 #{tabs_to_html(@tab)}
 <div id='content'>
-	<h1 id='polltitle'>#{@title}</h1>
+	<h1 id='polltitle'>#{CGI.escapeHTML(@title)}</h1>
 HEAD
 
 
diff --git a/index.cgi b/index.cgi
index b96a358..05a17b3 100755
--- a/index.cgi
+++ b/index.cgi
@@ -60,7 +60,7 @@ if $cgi.include?("create_poll") && $cgi.include?("poll_url")
 					File.open(f,"w").close
 					VCS.add(f)
 				}
-				Poll.new(CGI.escapeHTML(polltitle),$cgi["poll_type"])
+				Poll.new(polltitle,$cgi["poll_type"])
 				Dir.chdir("..")
 				$d.html.header["status"] = "REDIRECT"
 				$d.html.header["Cache-Control"] = "no-cache"
diff --git a/overview.rb b/overview.rb
index 31cf7d0..d6658e7 100755
--- a/overview.rb
+++ b/overview.rb
@@ -40,7 +40,7 @@ $d << <<END
 		#{sendlink}
 		<ul>
 			<li><input id="humanReadableURL" value="#{$conf.siteurl}" type="text" size="80" readonly="readonly"></li>
-			<li><a id="mailtoURL" href='mailto:?subject=#{CGI.escapeHTML(CGI.escape(subjectstr).gsub("+","%20"))}&amp;body=#{$conf.siteurl}'>#{mailstr}</a></li>
+			<li><a id="mailtoURL" href='mailto:?subject=#{CGI.escape(subjectstr).gsub("+","%20")}&amp;body=#{$conf.siteurl}'>#{mailstr}</a></li>
 		</ul>
 	</li>
 	<li>