Commit 151b4cd4 authored by Eric Davis's avatar Eric Davis

[#163] Add extra escape in mail_to's javascript. Rails CVE-2011-0446

parent 2b6a9828
......@@ -7,7 +7,7 @@
<div class="splitcontentleft">
<ul>
<% unless @user.pref.hide_mail %>
<li><%=l(:field_mail)%>: <%= mail_to(h(@user.mail), nil, :encode => 'javascript') %></li>
<li><%=l(:field_mail)%>: <%= mail_to(h(escape_javascript(@user.mail)), nil, :encode => 'javascript') %></li>
<% end %>
<% @user.visible_custom_field_values.each do |custom_value| %>
<% if !custom_value.value.blank? %>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment