diff options
Diffstat (limited to '')
-rw-r--r-- | poll.rb | 15 |
1 files changed, 8 insertions, 7 deletions
@@ -178,7 +178,7 @@ class Poll end def invite_to_html - edituser = $cgi["edituser"] unless $cgi.include?("deleteuser") + edituser = CGI.escapeHTML($cgi["edituser"]) unless $cgi.include?("deleteuser") invitestr = _("Invite") namestr = _("Name") ret = <<HEAD @@ -248,24 +248,25 @@ END end def deleteuser_to_html + edituser = CGI.escapeHTML($cgi["edituser"]) ret = "<tr id='add_participant'>\n" - ret += "<td colspan='2' class='name'>#{$cgi["edituser"]}</td>" + ret += "<td colspan='2' class='name'>#{edituser}</td>" ret += "<td colspan='#{@head.col_size}'>" - ret += _("Do you really want to delete user %{user}?") % {:user => $cgi["edituser"]} - ret += "<input type='hidden' name='delete_participant_confirm' value='#{$cgi["edituser"]}' />" + ret += _("Do you really want to delete user %{user}?") % {:user => edituser} + ret += "<input type='hidden' name='delete_participant_confirm' value='#{edituser}' />" ret += "</td>" - ret += save_input($cgi["edituser"], "", _("Confirm")) + ret += save_input(edituser, "", _("Confirm")) ret += "</tr>" ret end def edituser_to_html - edituser = $cgi["edituser"] + edituser = CGI.escapeHTML($cgi["edituser"]) checked = {} if @data.include?(edituser) @head.columns.each{|k| checked[k] = @data[edituser][k]} else - edituser = $cgi.cookies["username"][0] unless @data.include?($cgi.cookies["username"][0]) + edituser = CGI.escapeHTML($cgi.cookies["username"][0]) unless @data.include?($cgi.cookies["username"][0]) @head.columns.each{|k| checked[k] = NOVAL} end |