From 4429d6269252a329fa579e19ff1a32ce694a5a4d Mon Sep 17 00:00:00 2001 From: Benjamin Kellermann Date: Mon, 7 Jan 2019 21:45:08 +0100 Subject: proper output encoding of poll title --- delete_poll.rb | 2 +- dudle.rb | 2 +- index.cgi | 2 +- overview.rb | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/delete_poll.rb b/delete_poll.rb index a88ec5d..624567c 100755 --- a/delete_poll.rb +++ b/delete_poll.rb @@ -106,7 +106,7 @@ else end $d.html << "

" + _("Delete this poll") + "

" -$d.html << _("You want to delete the poll named") + " #{$d.table.name}.
" +$d.html << _("You want to delete the poll named") + " #{CGI.escapeHTML($d.table.name)}.
" $d.html << _("This is an irreversible action!") + "
" $d.html << _("If you are sure that you want to permanently remove this poll, please type “%{question}” into the form.") % {:question => QUESTIONS[confirm]} deletestr = _("Delete") diff --git a/dudle.rb b/dudle.rb index 210c367..53edbae 100644 --- a/dudle.rb +++ b/dudle.rb @@ -180,7 +180,7 @@ HEAD
#{tabs_to_html(@tab)}
-

#{@title}

+

#{CGI.escapeHTML(@title)}

HEAD diff --git a/index.cgi b/index.cgi index b96a358..05a17b3 100755 --- a/index.cgi +++ b/index.cgi @@ -60,7 +60,7 @@ if $cgi.include?("create_poll") && $cgi.include?("poll_url") File.open(f,"w").close VCS.add(f) } - Poll.new(CGI.escapeHTML(polltitle),$cgi["poll_type"]) + Poll.new(polltitle,$cgi["poll_type"]) Dir.chdir("..") $d.html.header["status"] = "REDIRECT" $d.html.header["Cache-Control"] = "no-cache" diff --git a/overview.rb b/overview.rb index 31cf7d0..d6658e7 100755 --- a/overview.rb +++ b/overview.rb @@ -40,7 +40,7 @@ $d << <
    • -
  • #{mailstr}
    • +
  • #{mailstr}
  • -- cgit v1.2.3