aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xcustomize.rb3
-rw-r--r--poll.rb15
2 files changed, 10 insertions, 8 deletions
diff --git a/customize.rb b/customize.rb
index af64fa3..2062365 100755
--- a/customize.rb
+++ b/customize.rb
@@ -69,11 +69,12 @@ $d << "</div>"
username = $cgi.cookies["username"][0]
+username = CGI.escapeHTML(username) if username
if $cgi.include?("delete_username")
$d.html.add_cookie("username","","/",Time.now - 1*60*60*24*365)
username = nil
elsif $cgi.include?("username") && $cgi["username"] != ""
- username = $cgi["username"]
+ username = CGI.escapeHTML($cgi["username"])
$d.html.add_cookie("username",username,"/",Time.now + 1*60*60*24*365)
end
diff --git a/poll.rb b/poll.rb
index 269fcb5..8a9be6a 100644
--- a/poll.rb
+++ b/poll.rb
@@ -178,7 +178,7 @@ class Poll
end
def invite_to_html
- edituser = $cgi["edituser"] unless $cgi.include?("deleteuser")
+ edituser = CGI.escapeHTML($cgi["edituser"]) unless $cgi.include?("deleteuser")
invitestr = _("Invite")
namestr = _("Name")
ret = <<HEAD
@@ -248,24 +248,25 @@ END
end
def deleteuser_to_html
+ edituser = CGI.escapeHTML($cgi["edituser"])
ret = "<tr id='add_participant'>\n"
- ret += "<td colspan='2' class='name'>#{$cgi["edituser"]}</td>"
+ ret += "<td colspan='2' class='name'>#{edituser}</td>"
ret += "<td colspan='#{@head.col_size}'>"
- ret += _("Do you really want to delete user %{user}?") % {:user => $cgi["edituser"]}
- ret += "<input type='hidden' name='delete_participant_confirm' value='#{$cgi["edituser"]}' />"
+ ret += _("Do you really want to delete user %{user}?") % {:user => edituser}
+ ret += "<input type='hidden' name='delete_participant_confirm' value='#{edituser}' />"
ret += "</td>"
- ret += save_input($cgi["edituser"], "", _("Confirm"))
+ ret += save_input(edituser, "", _("Confirm"))
ret += "</tr>"
ret
end
def edituser_to_html
- edituser = $cgi["edituser"]
+ edituser = CGI.escapeHTML($cgi["edituser"])
checked = {}
if @data.include?(edituser)
@head.columns.each{|k| checked[k] = @data[edituser][k]}
else
- edituser = $cgi.cookies["username"][0] unless @data.include?($cgi.cookies["username"][0])
+ edituser = CGI.escapeHTML($cgi.cookies["username"][0]) unless @data.include?($cgi.cookies["username"][0])
@head.columns.each{|k| checked[k] = NOVAL}
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-17 08:06:57 +0000