From 2a7795ab525a47aee4484708acde409e6c4e6737 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Tue, 17 Feb 2015 17:47:36 +0000 Subject: [PATCH] Escape flash messages (#19117). git-svn-id: http://svn.redmine.org/redmine/trunk@14016 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/account_controller.rb | 2 +- app/controllers/admin_controller.rb | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -290,7 +290,7 @@ class AccountController < ApplicationCon token = Token.new(:user => user, :action => "register") if user.save and token.save Mailer.register(token).deliver - flash[:notice] = l(:notice_account_register_done, :email => user.mail) + flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail)) redirect_to signin_path else yield if block_given? --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -51,7 +51,7 @@ class AdminController < ApplicationContr Redmine::DefaultData::Loader::load(params[:lang]) flash[:notice] = l(:notice_default_data_loaded) rescue Exception => e - flash[:error] = l(:error_can_t_load_default_data, e.message) + flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message)) end end redirect_to admin_path @@ -63,9 +63,9 @@ class AdminController < ApplicationContr ActionMailer::Base.raise_delivery_errors = true begin @test = Mailer.test_email(User.current).deliver - flash[:notice] = l(:notice_email_sent, User.current.mail) + flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail)) rescue Exception => e - flash[:error] = l(:notice_email_error, Redmine::CodesetUtil.replace_invalid_utf8(e.message)) + flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup))) end ActionMailer::Base.raise_delivery_errors = raise_delivery_errors redirect_to settings_path(:tab => 'notifications')