diff options
author | Benjamin Kellermann <Benjamin.Kellermann@gmx.de> | 2016-04-14 22:44:44 +0200 |
---|---|---|
committer | Benjamin Kellermann <Benjamin.Kellermann@gmx.de> | 2016-04-14 22:44:44 +0200 |
commit | 50e5dbbf4b6fd1593396437ef05d8e6902c0f17c (patch) | |
tree | 6af622965355d6dfe7b9a825ecb78f6d9bc2d2d0 /poll.rb | |
parent | 22d6497150e41d309b990334b8ad593b3917c4dc (diff) |
Bugfix for & in participant names
- Store real string every time
- do sanitization when strings are printed to html
Closes: #16
Diffstat (limited to 'poll.rb')
-rw-r--r-- | poll.rb | 20 |
1 files changed, 9 insertions, 11 deletions
@@ -90,18 +90,18 @@ class Poll ret += "<td><span class='edituser'>" ret += "<a title=\"" ret += _("Edit user %{user}...") % {:user => CGI.escapeHTML(participant)} - ret += "\" href=\"?edituser=#{CGI.escapeHTML(CGI.escape(participant))}\">" + ret += "\" href=\"?edituser=#{CGI.escape(participant)}\">" ret += EDIT ret += "</a> | <a title=\"" ret += _("Delete user %{user}...") % {:user => CGI.escapeHTML(participant)} - ret += "\" href=\"?deleteuser&edituser=#{CGI.escapeHTML(CGI.escape(participant))}\">" + ret += "\" href=\"?deleteuser&edituser=#{CGI.escape(participant)}\">" ret += "#{DELETE}</a>" ret += "</span></td>" ret += "<td class='name'>" else ret += "<td class='name' colspan='2'>" end - ret += "<span id=\"#{participant.to_htmlID}\">#{participant}</span>" + ret += "<span id=\"#{participant.to_htmlID}\">#{CGI.escapeHTML(participant)}</span>" ret += "</td>" ret end @@ -417,24 +417,22 @@ FORM maximum ||= 0 name = "Anonymous ##{maximum + 1}" end - htmlname = CGI.escapeHTML(name) action = '' - if @data.delete(CGI.escapeHTML(olduser)) + if @data.delete(olduser) action = "edited" else action = "added" end - @data[htmlname] = {"timestamp" => Time.now } + @data[name] = {"timestamp" => Time.now } @head.columns.each{|column| - @data[htmlname][column] = agreed[column.to_s] + @data[name][column] = agreed[column.to_s] } store "Participant #{name.strip} #{action}" end def delete(name) - htmlname = CGI.escapeHTML(name.strip) - if @data.has_key?(htmlname) - @data.delete(htmlname) + if @data.has_key?(name) + @data.delete(name) store "Participant #{name.strip} deleted" end end @@ -445,7 +443,7 @@ FORM out << self.to_yaml out.chmod(0660) end - VCS.commit(CGI.escapeHTML(comment)) + VCS.commit(comment) end ############################### |