better approach to edit participant

author: Benjamin Kellermann <Benjamin.Kellermann@gmx.de> 2009-06-08 13:18:50 +0200
committer: Benjamin Kellermann <Benjamin.Kellermann@gmx.de> 2009-06-08 13:18:50 +0200
commit: 4d9d211e41d983dbaed50524cc0a91666d3bf728 (patch)
tree: d1f7443f8c51c40b298fd3557ebcfbafdef1e8c6 /poll.rb
parent: 0d2ffbf45a1879dd781912645b6a3bcf9329da8d (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/poll.rb b/poll.rb
index bf90b58..784f322 100644
--- a/poll.rb
+++ b/poll.rb
@@ -49,7 +49,7 @@ class Poll
 			ret += "<tr class='participantrow'>\n"
 			ret += "<td class='name' #{$cgi["edit"] == participant ? "id='active'":""}>"
 			ret += participant
-			ret += " <sup><a href='?edit=#{CGI.escape(participant)}'>edit</a></sup>" unless config
+			ret += " <sup><a href=\"?edit=#{CGI.escapeHTML(CGI.escape(participant))}\">edit</a></sup>" unless config
 			ret += "</td>\n"
 			@head.sort.each{|columntitle,columndescription|
 				klasse = poll[columntitle]
@@ -119,6 +119,7 @@ class Poll
 			participant = $cgi["edit"]
 			@head.each_key{|k| checked[k] = @data[participant][k]}
 		else
+			participant = ""
 			@head.each_key{|k| checked[k] = NOVAL}
 		end
 		ret = "<tr id='add_participant'>\n"
@@ -126,7 +127,7 @@ class Poll
 			<input size='16' 
 				type='text' 
 				name='add_participant'
-				value='#{participant}'
+				value=\"#{CGI.escapeHTML(participant)}\"
 				title='To change a line, add a new person with the same name!' />
 			</td>\n"
 		@head.sort.each{|columntitle,columndescription|
author	Benjamin Kellermann <Benjamin.Kellermann@gmx.de>	2009-06-08 13:18:50 +0200
committer	Benjamin Kellermann <Benjamin.Kellermann@gmx.de>	2009-06-08 13:18:50 +0200
commit	4d9d211e41d983dbaed50524cc0a91666d3bf728 (patch)
tree	d1f7443f8c51c40b298fd3557ebcfbafdef1e8c6 /poll.rb
parent	0d2ffbf45a1879dd781912645b6a3bcf9329da8d (diff)