From: <jh...@us...> - 2011-03-29 18:30:58
|
Revision: 291 http://nventory.svn.sourceforge.net/nventory/?rev=291&view=rev Author: jhtran Date: 2011-03-29 18:30:52 +0000 (Tue, 29 Mar 2011) Log Message: ----------- escaped the account name to prevent xss Modified Paths: -------------- trunk/server/app/views/layouts/application.html.erb Modified: trunk/server/app/views/layouts/application.html.erb =================================================================== --- trunk/server/app/views/layouts/application.html.erb 2011-03-23 17:34:52 UTC (rev 290) +++ trunk/server/app/views/layouts/application.html.erb 2011-03-29 18:30:52 UTC (rev 291) @@ -22,7 +22,7 @@ <p id="account_links"> <%- if logged_in_account -%> - <%= "Welcome back, #{link_to logged_in_account.name, account_path(logged_in_account)}! | #{link_to "Help", HELP_URL} | " %> + <%= "Welcome back, #{link_to h(logged_in_account.name), account_path(logged_in_account)}! | #{link_to "Help", HELP_URL} | " %> <%= session[:sso] ? link_to("Logout (SSO)", sso_obj.logout_url) : link_to("Logout", :controller => 'login', :action => 'logout') %> <%- else -%> <%= (SSO_AUTH_SERVER && SSO_LOGIN_URL) ? " | #{link_to "Login (SSO)", SSO_LOGIN_URL}" : " | #{link_to("Login", :controller => 'login', :action => 'login')}" %> This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |