diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 292150b6ca21c47a1a24d6227e744784cc050023..6abe43fa62d787a0a0468234ed2b20a464d9ff72 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -111,7 +111,7 @@ module ApplicationHelper
text = options.delete(:text) || format_revision(revision)
rev = revision.respond_to?(:identifier) ? revision.identifier : revision
- link_to(text, {:controller => 'repositories', :action => 'revision', :id => project, :rev => rev},
+ link_to(h(text), {:controller => 'repositories', :action => 'revision', :id => project, :rev => rev},
:title => l(:label_revision_id, format_revision(revision)))
end
@@ -421,7 +421,7 @@ module ApplicationHelper
def html_title(*args)
if args.empty?
title = []
- title << @project.name if @project
+ title << h(@project.name) if @project
title += @html_title if @html_title
title << Setting.app_title
title.select {|t| !t.blank? }.join(' - ')
@@ -572,7 +572,7 @@ module ApplicationHelper
wiki_page_id = page.present? ? Wiki.titleize(page) : nil
url_for(:only_path => only_path, :controller => 'wiki', :action => 'show', :project_id => link_project, :id => wiki_page_id, :anchor => anchor)
end
- link_to((title || page), url, :class => ('wiki-page' + (wiki_page ? '' : ' new')))
+ link_to(h(title || page), url, :class => ('wiki-page' + (wiki_page ? '' : ' new')))
else
# project or wiki doesn't exist
all
@@ -626,7 +626,7 @@ module ApplicationHelper
if prefix.nil? && sep == 'r'
# project.changesets.visible raises an SQL error because of a double join on repositories
if project && project.repository && (changeset = Changeset.visible.find_by_repository_id_and_revision(project.repository.id, identifier))
- link = link_to("#{project_prefix}r#{identifier}", {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.revision},
+ link = link_to(h("#{project_prefix}r#{identifier}"), {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.revision},
:class => 'changeset',
:title => truncate_single_line(changeset.comments, :length => 100))
end
@@ -676,7 +676,7 @@ module ApplicationHelper
if project && project.repository && (changeset = Changeset.visible.find(:first, :conditions => ["repository_id = ? AND scmid LIKE ?", project.repository.id, "#{name}%"]))
link = link_to h("#{project_prefix}#{name}"), {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.identifier},
:class => 'changeset',
- :title => truncate_single_line(changeset.comments, :length => 100)
+ :title => truncate_single_line(h(changeset.comments), :length => 100)
end
when 'source', 'export'
if project && project.repository && User.current.allowed_to?(:browse_repository, project)
@@ -842,7 +842,7 @@ module ApplicationHelper
options[:class] << ' disabled'
url = '#'
end
- link_to name, url, options
+ link_to h(name), url, options
end
def calendar_for(field_id)
diff --git a/app/helpers/calendars_helper.rb b/app/helpers/calendars_helper.rb
index 08e665dcd4eeb95a44603cb0958255d1e38708b7..fb32a11c17307e8b9c6bd87f5ff5e59e79378ef9 100644
--- a/app/helpers/calendars_helper.rb
+++ b/app/helpers/calendars_helper.rb
@@ -36,7 +36,7 @@ module CalendarsHelper
link_target = calendar_path(:year => year, :month => month, :project_id => project_id)
- link_to_remote(link_name,
+ link_to_remote(h(link_name),
{:update => "content", :url => link_target, :method => :put},
{:href => link_target})
diff --git a/app/helpers/custom_fields_helper.rb b/app/helpers/custom_fields_helper.rb
index 107d0ac873b73d25a186bead6301c93d31d61e06..16d1d95b19cf391ced95eddc0078bcfed2155beb 100644
--- a/app/helpers/custom_fields_helper.rb
+++ b/app/helpers/custom_fields_helper.rb
@@ -57,7 +57,7 @@ module CustomFieldsHelper
# Return custom field label tag
def custom_field_label_tag(name, custom_value)
- content_tag "label", custom_value.custom_field.name +
+ content_tag "label", h(custom_value.custom_field.name) +
(custom_value.custom_field.is_required? ? " <span class=\"required\">*</span>" : ""),
:for => "#{name}_custom_field_values_#{custom_value.custom_field.id}",
:class => (custom_value.errors.empty? ? nil : "error" )
diff --git a/app/helpers/issues_helper.rb b/app/helpers/issues_helper.rb
index ce23668ef7bcb691b5ed8f5b2264b460ba4771e7..7b70ec924a4cb0d06fe75db00b7fbf7575cbfdf2 100644
--- a/app/helpers/issues_helper.rb
+++ b/app/helpers/issues_helper.rb
@@ -48,11 +48,11 @@ module IssuesHelper
link_to_issue(issue) + "<br /><br />" +
"<strong>#{@cached_label_project}</strong>: #{link_to_project(issue.project)}<br />" +
- "<strong>#{@cached_label_status}</strong>: #{issue.status.name}<br />" +
+ "<strong>#{@cached_label_status}</strong>: #{h(issue.status.name)}<br />" +
"<strong>#{@cached_label_start_date}</strong>: #{format_date(issue.start_date)}<br />" +
"<strong>#{@cached_label_due_date}</strong>: #{format_date(issue.due_date)}<br />" +
- "<strong>#{@cached_label_assigned_to}</strong>: #{issue.assigned_to}<br />" +
- "<strong>#{@cached_label_priority}</strong>: #{issue.priority.name}"
+ "<strong>#{@cached_label_assigned_to}</strong>: #{h(issue.assigned_to)}<br />" +
+ "<strong>#{@cached_label_priority}</strong>: #{h(issue.priority.name)}"
end
def render_issue_subject_with_tree(issue)
diff --git a/app/helpers/queries_helper.rb b/app/helpers/queries_helper.rb
index e9ab3769f7785815bb6748321525865303dd99e2..2ba1a4251e6304bc8584349120caae0e6a966362 100644
--- a/app/helpers/queries_helper.rb
+++ b/app/helpers/queries_helper.rb
@@ -23,8 +23,8 @@ module QueriesHelper
def column_header(column)
column.sortable ? sort_header_tag(column.name.to_s, :caption => column.caption,
- :default_order => column.default_order) :
- content_tag('th', column.caption)
+ :default_order => column.default_order) :
+ content_tag('th', h(column.caption))
end
def column_content(column, issue)
@@ -45,7 +45,7 @@ module QueriesHelper
if column.name == :done_ratio
progress_bar(value, :width => '80px')
else
- value.to_s
+ h(value.to_s)
end
when 'User'
link_to_user value
diff --git a/app/helpers/reports_helper.rb b/app/helpers/reports_helper.rb
index c733a063439c36cbd029304bc042b7468df77f98..af8fb8ddcaf4466f9216d3d1ff866e9fa41619df 100644
--- a/app/helpers/reports_helper.rb
+++ b/app/helpers/reports_helper.rb
@@ -31,6 +31,6 @@ module ReportsHelper
def aggregate_link(data, criteria, *args)
a = aggregate data, criteria
- a > 0 ? link_to(a, *args) : '-'
- end
+ a > 0 ? link_to(h(a), *args) : '-'
+ end
end
diff --git a/app/helpers/repositories_helper.rb b/app/helpers/repositories_helper.rb
index bf3c045e160806b0a638828280ae0399c155b50a..b9272b7ca223463bd09a4e1ed048ae0ef8d951dc 100644
--- a/app/helpers/repositories_helper.rb
+++ b/app/helpers/repositories_helper.rb
@@ -87,7 +87,7 @@ module RepositoriesHelper
if s = tree[file][:s]
style << ' folder'
path_param = to_path_param(@repository.relative_path(file))
- text = link_to(text, :controller => 'repositories',
+ text = link_to(h(text), :controller => 'repositories',
:action => 'show',
:id => @project,
:path => path_param,
@@ -97,18 +97,18 @@ module RepositoriesHelper
elsif c = tree[file][:c]
style << " change-#{c.action}"
path_param = to_path_param(@repository.relative_path(c.path))
- text = link_to(text, :controller => 'repositories',
+ text = link_to(h(text), :controller => 'repositories',
:action => 'entry',
:id => @project,
:path => path_param,
:rev => @changeset.identifier) unless c.action == 'D'
- text << " - #{c.revision}" unless c.revision.blank?
+ text << " - #{h(c.revision)}" unless c.revision.blank?
text << ' (' + link_to('diff', :controller => 'repositories',
:action => 'diff',
:id => @project,
:path => path_param,
:rev => @changeset.identifier) + ') ' if c.action == 'M'
- text << ' ' + content_tag('span', c.from_path, :class => 'copied-from') unless c.from_path.blank?
+ text << ' ' + content_tag('span', h(c.from_path), :class => 'copied-from') unless c.from_path.blank?
output << "<li class='#{style}'>#{text}</li>"
end
end
diff --git a/app/helpers/search_helper.rb b/app/helpers/search_helper.rb
index b8f416c5845232bffd8062bd2de1156c82b7e083..9342857434ea7c95a7abe9ad7539ef161250bd6f 100644
--- a/app/helpers/search_helper.rb
+++ b/app/helpers/search_helper.rb
@@ -57,7 +57,7 @@ module SearchHelper
c = results_by_type[t]
next if c == 0
text = "#{type_label(t)} (#{c})"
- links << link_to(text, :q => params[:q], :titles_only => params[:title_only], :all_words => params[:all_words], :scope => params[:scope], t => 1)
+ links << link_to(h(text), :q => params[:q], :titles_only => params[:title_only], :all_words => params[:all_words], :scope => params[:scope], t => 1)
end
('<ul>' + links.map {|link| content_tag('li', link)}.join(' ') + '</ul>') unless links.empty?
end
diff --git a/app/helpers/sort_helper.rb b/app/helpers/sort_helper.rb
index c1a89db5ab29c4ace5a738dccda771b018bb6093..a7055fcc2285d3f0983f32d130a26d7e515d73b1 100644
--- a/app/helpers/sort_helper.rb
+++ b/app/helpers/sort_helper.rb
@@ -206,7 +206,7 @@ module SortHelper
# Add project_id to url_options
url_options = url_options.merge(:project_id => params[:project_id]) if params.has_key?(:project_id)
- link_to_remote(caption,
+ link_to_remote(h(caption),
{:update => "content", :url => url_options, :method => :get},
{:href => url_for(url_options),
:class => css})
diff --git a/app/helpers/timelog_helper.rb b/app/helpers/timelog_helper.rb
index d314a96f40f0b6bc099b67586799b378b280c968..df3cf79b94339b3a2a55ead52a8ec2d951aaf3ad 100644
--- a/app/helpers/timelog_helper.rb
+++ b/app/helpers/timelog_helper.rb
@@ -129,7 +129,7 @@ module TimelogHelper
elsif k = @available_criterias[criteria][:klass]
obj = k.find_by_id(value.to_i)
if obj.is_a?(Issue)
- obj.visible? ? "#{obj.tracker} ##{obj.id}: #{obj.subject}" : "##{obj.id}"
+ obj.visible? ? h("#{obj.tracker} ##{obj.id}: #{obj.subject}") : h("##{obj.id}")
else
obj
end
diff --git a/app/views/activities/index.html.erb b/app/views/activities/index.html.erb
index 03cc8c6817d2b08c004fbcbb9b0ea1be781d947a..b7a375231a5e4cc3bfd649c9abd7e0455d51308e 100644
--- a/app/views/activities/index.html.erb
+++ b/app/views/activities/index.html.erb
@@ -12,7 +12,7 @@
<%= content_tag('span', h(e.project), :class => 'project') if @project.nil? || @project != e.project %>
<%= link_to format_activity_title(e.event_title), e.event_url %></dt>
<dd><span class="description"><%= format_activity_description(e.event_description) %></span>
- <span class="author"><%= e.event_author if e.respond_to?(:event_author) %></span></dd>
+ <span class="author"><%= link_to_user(e.event_author) if e.respond_to?(:event_author) %></span></dd>
<% end -%>
</dl>
<% end -%>
diff --git a/app/views/attachments/_links.rhtml b/app/views/attachments/_links.rhtml
index 19ab6734a11380598384b3c42464c4b6de8f51af..4f4e2d180de9a937e7dbc923f1b19abd324a5ffe 100644
--- a/app/views/attachments/_links.rhtml
+++ b/app/views/attachments/_links.rhtml
@@ -11,7 +11,7 @@
:title => l(:button_delete) %>
<% end %>
<% if options[:author] %>
- <span class="author"><%= attachment.author %>, <%= format_time(attachment.created_on) %></span>
+ <span class="author"><%= h(attachment.author) %>, <%= format_time(attachment.created_on) %></span>
<% end %>
</p>
<% end %>
diff --git a/app/views/attachments/diff.rhtml b/app/views/attachments/diff.rhtml
index 36db0af52877e59577b1a3380da3fa9e274bebb2..36e47217ba875761acba9fef0fd4597e682d12e1 100644
--- a/app/views/attachments/diff.rhtml
+++ b/app/views/attachments/diff.rhtml
@@ -2,7 +2,7 @@
<div class="attachments">
<p><%= h("#{@attachment.description} - ") unless @attachment.description.blank? %>
- <span class="author"><%= @attachment.author %>, <%= format_time(@attachment.created_on) %></span></p>
+ <span class="author"><%= link_to_user(@attachment.author) %>, <%= format_time(@attachment.created_on) %></span></p>
<p><%= link_to_attachment @attachment, :text => l(:button_download), :download => true -%>
<span class="size">(<%= number_to_human_size @attachment.filesize %>)</span></p>
@@ -10,7 +10,7 @@
<%= render :partial => 'common/diff', :locals => {:diff => @diff, :diff_type => @diff_type} %>
-<% html_title @attachment.filename %>
+<% html_title h(@attachment.filename) %>
<% content_for :header_tags do -%>
<%= stylesheet_link_tag "scm" -%>
diff --git a/app/views/attachments/file.rhtml b/app/views/attachments/file.rhtml
index c7e7a7573b5cbbcd604c8fbe2080025843ca4218..fde551f8bdc11bc1a0995e160e9f161edf673d23 100644
--- a/app/views/attachments/file.rhtml
+++ b/app/views/attachments/file.rhtml
@@ -2,7 +2,7 @@
<div class="attachments">
<p><%= h("#{@attachment.description} - ") unless @attachment.description.blank? %>
- <span class="author"><%= @attachment.author %>, <%= format_time(@attachment.created_on) %></span></p>
+ <span class="author"><%= link_to_user(@attachment.author) %>, <%= format_time(@attachment.created_on) %></span></p>
<p><%= link_to_attachment @attachment, :text => l(:button_download), :download => true -%>
<span class="size">(<%= number_to_human_size @attachment.filesize %>)</span></p>
@@ -10,7 +10,7 @@
<%= render :partial => 'common/file', :locals => {:content => @content, :filename => @attachment.filename} %>
-<% html_title @attachment.filename %>
+<% html_title h(@attachment.filename) %>
<% content_for :header_tags do -%>
<%= stylesheet_link_tag "scm" -%>
diff --git a/app/views/auth_sources/edit.rhtml b/app/views/auth_sources/edit.rhtml
index 165fd4f3ec68b53896d0041a6fcf726589c15b86..e2c99aa3c5e49458e228905783d44f0efdb0ce00 100644
--- a/app/views/auth_sources/edit.rhtml
+++ b/app/views/auth_sources/edit.rhtml
@@ -1,4 +1,4 @@
-<h2><%=l(:label_auth_source)%> (<%= @auth_source.auth_method_name %>)</h2>
+<h2><%=l(:label_auth_source)%> (<%= h(@auth_source.auth_method_name) %>)</h2>
<% form_tag({:action => 'update', :id => @auth_source}, :class => "tabular") do %>
<%= render :partial => 'form' %>
diff --git a/app/views/auth_sources/new.rhtml b/app/views/auth_sources/new.rhtml
index 2d493dc3ae297eca8f75257bef8aeebb920f5b47..d0b9b1d4303a199b186f55640a909e5561a4bf3c 100644
--- a/app/views/auth_sources/new.rhtml
+++ b/app/views/auth_sources/new.rhtml
@@ -1,4 +1,4 @@
-<h2><%=l(:label_auth_source_new)%> (<%= @auth_source.auth_method_name %>)</h2>
+<h2><%=l(:label_auth_source_new)%> (<%= h(@auth_source.auth_method_name) %>)</h2>
<% form_tag({:action => 'create'}, :class => "tabular") do %>
<%= render :partial => 'form' %>
diff --git a/app/views/boards/show.rhtml b/app/views/boards/show.rhtml
index 23e453e384edb69e0bdde60876ef1c0d29f556ce..6c55131a843125ad27df3524a64e170272d2fea0 100644
--- a/app/views/boards/show.rhtml
+++ b/app/views/boards/show.rhtml
@@ -43,7 +43,7 @@
<% @topics.each do |topic| %>
<tr class="message <%= cycle 'odd', 'even' %> <%= topic.sticky? ? 'sticky' : '' %> <%= topic.locked? ? 'locked' : '' %>">
<td class="subject"><%= link_to h(topic.subject), { :controller => 'messages', :action => 'show', :board_id => @board, :id => topic } %></td>
- <td class="author" align="center"><%= topic.author %></td>
+ <td class="author" align="center"><%= link_to_user(topic.author) %></td>
<td class="created_on" align="center"><%= format_time(topic.created_on) %></td>
<td class="replies" align="center"><%= topic.replies_count %></td>
<td class="last_message">
diff --git a/app/views/common/_diff.rhtml b/app/views/common/_diff.rhtml
index 619790c1378bbfd106a76bbbedefa98b2614fc8d..4bf896c97309fcac08cb563732e8de52e9a0d30b 100644
--- a/app/views/common/_diff.rhtml
+++ b/app/views/common/_diff.rhtml
@@ -4,7 +4,7 @@
<% if diff_type == 'sbs' -%>
<table class="filecontent">
<thead>
-<tr><th colspan="4" class="filename"><%=to_utf8 table_file.file_name %></th></tr>
+<tr><th colspan="4" class="filename"><%=h(to_utf8(table_file.file_name)) %></th></tr>
</thead>
<tbody>
<% prev_line_left, prev_line_right = nil, nil -%>
@@ -31,7 +31,7 @@
<% else -%>
<table class="filecontent syntaxhl">
<thead>
-<tr><th colspan="3" class="filename"><%=to_utf8 table_file.file_name %></th></tr>
+<tr><th colspan="3" class="filename"><%= h(to_utf8(table_file.file_name)) %></th></tr>
</thead>
<tbody>
<% prev_line_left, prev_line_right = nil, nil -%>
diff --git a/app/views/common/error.html.erb b/app/views/common/error.html.erb
index 35d9086452765ec3b3d2d1bb318857f6040f471c..cbded214f2eb58356e17310109a1b1e2098f7dfd 100644
--- a/app/views/common/error.html.erb
+++ b/app/views/common/error.html.erb
@@ -1,6 +1,6 @@
-<h2><%=h @status %></h2>
-
-<p id="errorExplanation"><%=h @message %></p>
-<p><a href="javascript:history.back()">Back</a></p>
-
-<% html_title @status %>
+<h2><%=h @status %></h2>
+
+<p id="errorExplanation"><%=h @message %></p>
+<p><a href="javascript:history.back()">Back</a></p>
+
+<% html_title h(@status) %>
diff --git a/app/views/custom_fields/_form.rhtml b/app/views/custom_fields/_form.rhtml
index a71df87aad127ad4f82e279c080776ece4479077..0206fe8053c91eff2d9fd246a6b3225fa81c94e8 100644
--- a/app/views/custom_fields/_form.rhtml
+++ b/app/views/custom_fields/_form.rhtml
@@ -74,7 +74,7 @@ when "IssueCustomField" %>
<fieldset><legend><%=l(:label_tracker_plural)%></legend>
<% for tracker in @trackers %>
- <%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%= tracker.name %>
+ <%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%= h(tracker.name) %>
<% end %>
<%= hidden_field_tag "custom_field[tracker_ids][]", '' %>
</fieldset>
diff --git a/app/views/custom_fields/_index.rhtml b/app/views/custom_fields/_index.rhtml
index 21ae01beff344486f1d0f861cde5105124295150..a6495fbfefd610c07c31c58520c7970065df9f32 100644
--- a/app/views/custom_fields/_index.rhtml
+++ b/app/views/custom_fields/_index.rhtml
@@ -13,7 +13,7 @@
<tbody>
<% (@custom_fields_by_type[tab[:name]] || []).sort.each do |custom_field| -%>
<tr class="<%= cycle("odd", "even") %>">
- <td><%= link_to custom_field.name, :action => 'edit', :id => custom_field %></td>
+ <td><%= link_to h(custom_field.name), :action => 'edit', :id => custom_field %></td>
<td align="center"><%= l(Redmine::CustomFieldFormat.label_for(custom_field.field_format)) %></td>
<td align="center"><%= checked_image custom_field.is_required? %></td>
<% if tab[:name] == 'IssueCustomField' %>
diff --git a/app/views/documents/show.rhtml b/app/views/documents/show.rhtml
index 63e3210136c9e464f0514887fd872e5c7fdb4727..29845bfa336ae31eb61cb3d3efed0af816b273ae 100644
--- a/app/views/documents/show.rhtml
+++ b/app/views/documents/show.rhtml
@@ -25,7 +25,7 @@
<% end %>
<% end %>
-<% html_title @document.title -%>
+<% html_title h(@document.title) -%>
<% content_for :header_tags do %>
<%= stylesheet_link_tag 'scm' %>
diff --git a/app/views/gantts/show.html.erb b/app/views/gantts/show.html.erb
index 82036627915ab73609687bb0b258763356dfa6e3..d1c86788ba01a5377c1fc91ecb7442406b7c4f57 100644
--- a/app/views/gantts/show.html.erb
+++ b/app/views/gantts/show.html.erb
@@ -101,7 +101,7 @@ height = (show_weeks ? header_heigth : header_heigth + g_height)
width = ((month_f >> 1) - month_f) * zoom - 1
%>
<div style="left:<%= left %>px;width:<%= width %>px;height:<%= height %>px;" class="gantt_hdr">
- <%= link_to "#{month_f.year}-#{month_f.month}", @gantt.params.merge(:year => month_f.year, :month => month_f.month), :title => "#{month_name(month_f.month)} #{month_f.year}"%>
+ <%= link_to h("#{month_f.year}-#{month_f.month}"), @gantt.params.merge(:year => month_f.year, :month => month_f.month), :title => "#{month_name(month_f.month)} #{month_f.year}"%>
</div>
<%
left = left + width + 1
diff --git a/app/views/issue_statuses/index.html.erb b/app/views/issue_statuses/index.html.erb
index 03f767252a17c31dd61abb29d6779e09e4bf6bcc..9b6a552f7fb878281822d2c9dceed840df7675d1 100644
--- a/app/views/issue_statuses/index.html.erb
+++ b/app/views/issue_statuses/index.html.erb
@@ -19,7 +19,7 @@
<tbody>
<% for status in @issue_statuses %>
<tr class="<%= cycle("odd", "even") %>">
- <td><%= link_to status.name, :action => 'edit', :id => status %></td>
+ <td><%= link_to h(status.name), :action => 'edit', :id => status %></td>
<% if Issue.use_status_for_done_ratio? %>
<td align="center"><%= h status.default_done_ratio %></td>
<% end %>
diff --git a/app/views/issues/_attributes.rhtml b/app/views/issues/_attributes.rhtml
index e10858b09e5c9065d3eef46a20f5d739dfad86cf..99ee5b96bb1c7ce88ae164b7a87735ae95511a84 100644
--- a/app/views/issues/_attributes.rhtml
+++ b/app/views/issues/_attributes.rhtml
@@ -4,7 +4,7 @@
<% if @issue.new_record? || @allowed_statuses.any? %>
<p><%= f.select :status_id, (@allowed_statuses.collect {|p| [p.name, p.id]}), :required => true %></p>
<% else %>
-<p><label><%= l(:field_status) %></label> <%= @issue.status.name %></p>
+<p><label><%= l(:field_status) %></label> <%= h(@issue.status.name) %></p>
<% end %>
<p><%= f.select :priority_id, (@priorities.collect {|p| [p.name, p.id]}), {:required => true}, :disabled => !@issue.leaf? %></p>
diff --git a/app/views/issues/_list_simple.rhtml b/app/views/issues/_list_simple.rhtml
index dd7f48946a2f31e2fc2b0728bf46b121b90209f6..1fcb07aeec8f943a22f3426de64cf1c183ed935b 100644
--- a/app/views/issues/_list_simple.rhtml
+++ b/app/views/issues/_list_simple.rhtml
@@ -9,10 +9,10 @@
</tr></thead>
<tbody>
<% for issue in issues %>
- <tr id="issue-<%= issue.id %>" class="hascontextmenu <%= cycle('odd', 'even') %> <%= issue.css_classes %>">
+ <tr id="issue-<%= h(issue.id) %>" class="hascontextmenu <%= cycle('odd', 'even') %> <%= issue.css_classes %>">
<td class="id">
<%= check_box_tag("ids[]", issue.id, false, :style => 'display:none;') %>
- <%= link_to issue.id, :controller => 'issues', :action => 'show', :id => issue %>
+ <%= link_to(h(issue.id), :controller => 'issues', :action => 'show', :id => issue) %>
</td>
<td class="project"><%= link_to_project(issue.project) %></td>
<td class="tracker"><%=h issue.tracker %></td>
diff --git a/app/views/issues/_relations.rhtml b/app/views/issues/_relations.rhtml
index f8535b827b77921697aca4f0a7510c3bd225587c..48df5c605784f53e7278aee97d630db9121d837f 100644
--- a/app/views/issues/_relations.rhtml
+++ b/app/views/issues/_relations.rhtml
@@ -14,7 +14,7 @@
<%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %>
<%= link_to_issue(relation.other_issue(@issue), :truncate => 60) %>
</td>
-<td><%= relation.other_issue(@issue).status.name %></td>
+<td><%= h(relation.other_issue(@issue).status.name) %></td>
<td><%= format_date(relation.other_issue(@issue).start_date) %></td>
<td><%= format_date(relation.other_issue(@issue).due_date) %></td>
<td><%= link_to_remote(image_tag('delete.png'), { :url => {:controller => 'issue_relations', :action => 'destroy', :issue_id => @issue, :id => relation},
diff --git a/app/views/issues/index.rhtml b/app/views/issues/index.rhtml
index ddd5d90800011f976cbcff7caf7a8f80b33f8d57..c03e2c6ef387179cd1ba3193c13a1521c5668350 100644
--- a/app/views/issues/index.rhtml
+++ b/app/views/issues/index.rhtml
@@ -6,7 +6,7 @@
</div>
<h2><%= @query.new_record? ? l(:label_issue_plural) : h(@query.name) %></h2>
-<% html_title(@query.new_record? ? l(:label_issue_plural) : @query.name) %>
+<% html_title(@query.new_record? ? l(:label_issue_plural) : h(@query.name)) %>
<% form_tag({ :controller => 'queries', :action => 'new' }, :id => 'query_form') do %>
<%= hidden_field_tag('project_id', @project.to_param) if @project %>
diff --git a/app/views/issues/show.rhtml b/app/views/issues/show.rhtml
index 3baafbe54603eb933ec6675178c08ce7c10a2f81..cbd206b50b34a3e1bdbf10132287a17a539d3968 100644
--- a/app/views/issues/show.rhtml
+++ b/app/views/issues/show.rhtml
@@ -113,7 +113,7 @@
<%= f.link_to 'PDF' %>
<% end %>
-<% html_title "#{@issue.tracker.name} ##{@issue.id}: #{@issue.subject}" %>
+<% html_title h("#{@issue.tracker.name} ##{@issue.id}: #{@issue.subject}") %>
<% content_for :sidebar do %>
<%= render :partial => 'issues/sidebar' %>
diff --git a/app/views/mailer/account_activated.text.html.rhtml b/app/views/mailer/account_activated.text.html.rhtml
index 6dc95223897bfa8bb61eedb9953c9d5b8d1cb405..cb8d8caa1b76fc3ddb91ed42b92eca109d383536 100644
--- a/app/views/mailer/account_activated.text.html.rhtml
+++ b/app/views/mailer/account_activated.text.html.rhtml
@@ -1,2 +1,2 @@
<p><%= l(:notice_account_activated) %></p>
-<p><%= l(:label_login) %>: <%= link_to @login_url, @login_url %></p>
+<p><%= l(:label_login) %>: <%= link_to h(@login_url), @login_url %></p>
diff --git a/app/views/mailer/account_activation_request.text.html.rhtml b/app/views/mailer/account_activation_request.text.html.rhtml
index b19cf32198ccea23547534d7978da461313aafa0..4450631b92f640ecfef37cf28736d0f7e424f3df 100644
--- a/app/views/mailer/account_activation_request.text.html.rhtml
+++ b/app/views/mailer/account_activation_request.text.html.rhtml
@@ -1,2 +1,2 @@
<p><%= l(:mail_body_account_activation_request, h(@user.login)) %></p>
-<p><%= link_to @url, @url %></p>
+<p><%= link_to h(@url), @url %></p>
diff --git a/app/views/mailer/attachments_added.text.html.rhtml b/app/views/mailer/attachments_added.text.html.rhtml
index 369834b6d320f33ed02abe5e3ba0fb16a3186898..11d1cf54c584c0466f620f969e8d4a698b5a8a80 100644
--- a/app/views/mailer/attachments_added.text.html.rhtml
+++ b/app/views/mailer/attachments_added.text.html.rhtml
@@ -1,4 +1,4 @@
-<%= link_to @added_to, @added_to_url %><br />
+<%= link_to h(@added_to), @added_to_url %><br />
<ul><% @attachments.each do |attachment | %>
<li><%=h attachment.filename %></li>
diff --git a/app/views/mailer/reminder.text.html.rhtml b/app/views/mailer/reminder.text.html.rhtml
index 62201e50a1d2454922163333af4cd4b478344329..f011da3e834c6ff28143299f83e341c3df2d4464 100644
--- a/app/views/mailer/reminder.text.html.rhtml
+++ b/app/views/mailer/reminder.text.html.rhtml
@@ -2,7 +2,7 @@
<ul>
<% @issues.each do |issue| -%>
- <li><%=h issue.project %> - <%=link_to("#{issue.tracker} ##{issue.id}", :controller => 'issues', :action => 'show', :id => issue, :only_path => false)%>: <%=h issue.subject %></li>
+ <li><%=h issue.project %> - <%=link_to(h("#{issue.tracker} ##{issue.id}"), :controller => 'issues', :action => 'show', :id => issue, :only_path => false)%>: <%=h issue.subject %></li>
<% end -%>
</ul>
diff --git a/app/views/mailer/wiki_content_updated.text.html.rhtml b/app/views/mailer/wiki_content_updated.text.html.rhtml
index f84e92326ceb64f46402b95b650611a131e6fc85..a5ca0a08e78e2c3f1777459c8c4444bc382959ad 100644
--- a/app/views/mailer/wiki_content_updated.text.html.rhtml
+++ b/app/views/mailer/wiki_content_updated.text.html.rhtml
@@ -3,4 +3,4 @@
<em><%=h @wiki_content.comments %></em></p>
<p><%= l(:label_view_diff) %>:<br />
-<%= link_to @wiki_diff_url, @wiki_diff_url %></p>
+<%= link_to h(@wiki_diff_url), @wiki_diff_url %></p>
diff --git a/app/views/news/show.rhtml b/app/views/news/show.rhtml
index 0dc3fe3588e45534f79bbf269c1ae17f59d04a77..22064cb9a457da03374345bb88a66dd79d22a1ff 100644
--- a/app/views/news/show.rhtml
+++ b/app/views/news/show.rhtml
@@ -62,7 +62,7 @@
<% end %>
<% end %>
-<% html_title @news.title -%>
+<% html_title h(@news.title) -%>
<% content_for :header_tags do %>
<%= stylesheet_link_tag 'scm' %>
diff --git a/app/views/projects/_form.rhtml b/app/views/projects/_form.rhtml
index 9772a899cf54882509c783626ba87853a8a099c8..43f9a1b902a3856553a235674ac6fa890cc19880 100644
--- a/app/views/projects/_form.rhtml
+++ b/app/views/projects/_form.rhtml
@@ -42,7 +42,7 @@
<% @trackers.each do |tracker| %>
<label class="floating">
<%= check_box_tag 'project[tracker_ids][]', tracker.id, @project.trackers.include?(tracker) %>
- <%= tracker %>
+ <%= h(tracker) %>
</label>
<% end %>
<%= hidden_field_tag 'project[tracker_ids][]', '' %>
@@ -54,7 +54,7 @@
<% @issue_custom_fields.each do |custom_field| %>
<label class="floating">
<%= check_box_tag 'project[issue_custom_field_ids][]', custom_field.id, (@project.all_issue_custom_fields.include? custom_field), (custom_field.is_for_all? ? {:disabled => "disabled"} : {}) %>
- <%= custom_field.name %>
+ <%= h(custom_field.name) %>
</label>
<% end %>
<%= hidden_field_tag 'project[issue_custom_field_ids][]', '' %>
diff --git a/app/views/projects/list_members.rhtml b/app/views/projects/list_members.rhtml
index 7f2ae37957556fb322b5c25308848e1a347ec925..04de16044ac01e921afd4c51e95ed05fbe63d2fc 100644
--- a/app/views/projects/list_members.rhtml
+++ b/app/views/projects/list_members.rhtml
@@ -4,7 +4,7 @@
<% members = @members.group_by {|m| m.role } %>
<% members.keys.sort{|x,y| x.position <=> y.position}.each do |role| %>
-<h3><%= role.name %></h3>
+<h3><%= h(role.name) %></h3>
<ul>
<% members[role].each do |m| %>
<li><%= link_to_user m.user %> (<%= format_date m.created_on %>)</li>
diff --git a/app/views/projects/show.rhtml b/app/views/projects/show.rhtml
index bfd27b4ae4ecbd3217a01ff669713d2e33276154..a30266a83fbdd78bb4151921c91d20259a097ae2 100644
--- a/app/views/projects/show.rhtml
+++ b/app/views/projects/show.rhtml
@@ -18,7 +18,7 @@
<% end %>
<% @project.visible_custom_field_values.each do |custom_value| %>
<% if !custom_value.value.blank? %>
- <li><%= custom_value.custom_field.name%>: <%=h show_value(custom_value) %></li>
+ <li><%= h(custom_value.custom_field.name) %>: <%=h show_value(custom_value) %></li>
<% end %>
<% end %>
</ul>
@@ -27,9 +27,9 @@
<div class="issues box">
<h3><%=l(:label_issue_tracking)%></h3>
<ul>
- <% for tracker in @trackers %>
- <li><%= link_to tracker.name, :controller => 'issues', :action => 'index', :project_id => @project,
- :set_filter => 1,
+ <% for tracker in @trackers %>
+ <li><%= link_to h(tracker.name), :controller => 'issues', :action => 'index', :project_id => @project,
+ :set_filter => 1,
"tracker_id" => tracker.id %>:
<%= l(:label_x_open_issues_abbr_on_total, :count => @open_issues_by_tracker[tracker].to_i,
:total => @total_issues_by_tracker[tracker].to_i) %>
diff --git a/app/views/queries/index.rhtml b/app/views/queries/index.rhtml
index 1c608b8acd571fd31d365279165d78a35a95c4f2..aa2a94a8456e439ccbd89f7a9bb31b19182cac20 100644
--- a/app/views/queries/index.rhtml
+++ b/app/views/queries/index.rhtml
@@ -11,7 +11,7 @@
<% @queries.each do |query| %>
<tr class="<%= cycle('odd', 'even') %>">
<td>
- <%= link_to query.name, :controller => 'issues', :action => 'index', :project_id => @project, :query_id => query %>
+ <%= link_to h(query.name), :controller => 'issues', :action => 'index', :project_id => @project, :query_id => query %>
</td>
<td align="right">
<small>
diff --git a/app/views/reports/_details.rhtml b/app/views/reports/_details.rhtml
index c9cd88bb812c03c703dea9e3fb2428ff6a55e164..a5bde738d3eedbcc62b2d28dbe51135051ac4716 100644
--- a/app/views/reports/_details.rhtml
+++ b/app/views/reports/_details.rhtml
@@ -6,7 +6,7 @@
<thead><tr>
<th style="width:25%"></th>
<% for status in @statuses %>
-<th style="width:<%= col_width %>%"><%= status.name %></th>
+<th style="width:<%= col_width %>%"><%= h(status.name) %></th>
<% end %>
<th align="center" style="width:<%= col_width %>%"><strong><%=l(:label_open_issues_plural)%></strong></th>
<th align="center" style="width:<%= col_width %>%"><strong><%=l(:label_closed_issues_plural)%></strong></th>
@@ -15,8 +15,8 @@
<tbody>
<% for row in rows %>
<tr class="<%= cycle("odd", "even") %>">
- <td><%= link_to row.name, :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)),
- :set_filter => 1,
+ <td><%= link_to h(row.name), :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)),
+ :set_filter => 1,
:subproject_id => '!*',
"#{field_name}" => row.id %></td>
<% for status in @statuses %>
@@ -50,4 +50,4 @@
</tbody>
</table>
<% end
- reset_cycle %>
\ No newline at end of file
+ reset_cycle %>
diff --git a/app/views/reports/_simple.rhtml b/app/views/reports/_simple.rhtml
index e82f376a16793a4f0c873304ee072f5610d608e8..6a46669a549cd123fc076b2e48959da6f409162d 100644
--- a/app/views/reports/_simple.rhtml
+++ b/app/views/reports/_simple.rhtml
@@ -11,8 +11,8 @@
<tbody>
<% for row in rows %>
<tr class="<%= cycle("odd", "even") %>">
- <td><%= link_to row.name, :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)),
- :set_filter => 1,
+ <td><%= link_to h(row.name), :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)),
+ :set_filter => 1,
:subproject_id => '!*',
"#{field_name}" => row.id %></td>
<td align="center"><%= aggregate_link data, { field_name => row.id, "closed" => 0 },
@@ -38,4 +38,4 @@
</tbody>
</table>
<% end
- reset_cycle %>
\ No newline at end of file
+ reset_cycle %>
diff --git a/app/views/repositories/_breadcrumbs.rhtml b/app/views/repositories/_breadcrumbs.rhtml
index 1dd2445c745e9401f6985da9892d7006680f5d20..e617e772d8d7cdfd0fe9dfe23a3bf56e7f7b4f79 100644
--- a/app/views/repositories/_breadcrumbs.rhtml
+++ b/app/views/repositories/_breadcrumbs.rhtml
@@ -18,4 +18,4 @@ dirs.each do |dir|
<%= "@ #{h format_revision(@changeset)}" if @changeset %>
-<% html_title(with_leading_slash(path)) -%>
+<% html_title(h(with_leading_slash(path))) -%>
diff --git a/app/views/repositories/_dir_list_content.rhtml b/app/views/repositories/_dir_list_content.rhtml
index 66574f1c86ef7a293073ae9a245e43b98d2acc2d..5c60527cb909e9711d88596494a038ce28551186 100644
--- a/app/views/repositories/_dir_list_content.rhtml
+++ b/app/views/repositories/_dir_list_content.rhtml
@@ -1,7 +1,7 @@
<% @entries.each do |entry| %>
<% tr_id = Digest::MD5.hexdigest(entry.path)
depth = params[:depth].to_i %>
-<tr id="<%= tr_id %>" class="<%= h params[:parent_id] %> entry <%= entry.kind %>">
+<tr id="<%= tr_id %>" class="<%= h params[:parent_id] %> entry <%= h(entry.kind) %>">
<td style="padding-left: <%=18 * depth%>px;" class="filename">
<% if entry.is_dir? %>
<span class="expander" onclick="<%= remote_function :url => {:action => 'show', :id => @project, :path => to_path_param(entry.path), :rev => @rev, :depth => (depth + 1), :parent_id => tr_id},
@@ -19,7 +19,7 @@
<% changeset = @project.repository.changesets.find_by_revision(entry.lastrev.identifier) if entry.lastrev && entry.lastrev.identifier %>
<td class="revision"><%= link_to_revision(changeset, @project) if changeset %></td>
<td class="age"><%= distance_of_time_in_words(entry.lastrev.time, Time.now) if entry.lastrev && entry.lastrev.time %></td>
-<td class="author"><%= changeset.nil? ? h(entry.lastrev.author.to_s.split('<').first) : changeset.author if entry.lastrev %></td>
+<td class="author"><%= changeset.nil? ? h(entry.lastrev.author.to_s.split('<').first) : h(changeset.author) if entry.lastrev %></td>
<td class="comments"><%=h truncate(changeset.comments, :length => 50) unless changeset.nil? %></td>
</tr>
<% end %>
diff --git a/app/views/repositories/diff.rhtml b/app/views/repositories/diff.rhtml
index efb84a44d20810d0bf30b05892c0758ae7f22994..cb868665a69e06bc352b22b9fa66da9d8b7566ba 100644
--- a/app/views/repositories/diff.rhtml
+++ b/app/views/repositories/diff.rhtml
@@ -16,7 +16,7 @@
<%= f.link_to 'Diff', :url => params, :caption => 'Unified diff' %>
<% end %>
-<% html_title(with_leading_slash(@path), 'Diff') -%>
+<% html_title(h(with_leading_slash(@path)), 'Diff') -%>
<% content_for :header_tags do %>
<%= stylesheet_link_tag "scm" %>
diff --git a/app/views/repositories/revision.rhtml b/app/views/repositories/revision.rhtml
index 483e358de3948b6cf51d759e925a867f5e89d883..ce90a25474d1f386129cfdb79dfcf7f6492e7b2a 100644
--- a/app/views/repositories/revision.rhtml
+++ b/app/views/repositories/revision.rhtml
@@ -21,7 +21,7 @@
<h2><%= l(:label_revision) %> <%= format_revision(@changeset) %></h2>
-<p><% if @changeset.scmid %>ID: <%= @changeset.scmid %><br /><% end %>
+<p><% if @changeset.scmid %>ID: <%= h(@changeset.scmid) %><br /><% end %>
<span class="author"><%= authoring(@changeset.committed_on, @changeset.author) %></span></p>
<%= textilizable @changeset.comments %>
diff --git a/app/views/roles/index.html.erb b/app/views/roles/index.html.erb
index 41878146be0d45a619c9dd958652c802bdbd6e3b..73c7e0841b2591f6248349933a9b13a8905946b2 100644
--- a/app/views/roles/index.html.erb
+++ b/app/views/roles/index.html.erb
@@ -13,7 +13,7 @@
<tbody>
<% for role in @roles %>
<tr class="<%= cycle("odd", "even") %>">
- <td><%= content_tag(role.builtin? ? 'em' : 'span', link_to(role.name, :action => 'edit', :id => role)) %></td>
+ <td><%= content_tag(role.builtin? ? 'em' : 'span', link_to(h(role.name), :action => 'edit', :id => role)) %></td>
<td align="center" style="width:15%;">
<% unless role.builtin? %>
<%= reorder_links('role', {:action => 'edit', :id => role}) %>
diff --git a/app/views/search/index.rhtml b/app/views/search/index.rhtml
index 348421d3f6a871ebc2539a1a10696212c630b232..2fc319459d042224a0f3254d73353431a26b13d3 100644
--- a/app/views/search/index.rhtml
+++ b/app/views/search/index.rhtml
@@ -26,8 +26,8 @@
<h3><%= l(:label_result_plural) %> (<%= @results_by_type.values.sum %>)</h3>
<dl id="search-results">
<% @results.each do |e| %>
- <dt class="<%= e.event_type %>"><%= content_tag('span', h(e.project), :class => 'project') unless @project == e.project %> <%= link_to highlight_tokens(truncate(e.event_title, :length => 255), @tokens), e.event_url %></dt>
- <dd><span class="description"><%= highlight_tokens(e.event_description, @tokens) %></span>
+ <dt class="<%= e.event_type %>"><%= content_tag('span', h(e.project), :class => 'project') unless @project == e.project %> <%= link_to highlight_tokens(truncate(h(e.event_title), :length => 255), @tokens), e.event_url %></dt>
+ <dd><span class="description"><%= highlight_tokens(h(e.event_description), @tokens) %></span>
<span class="author"><%= format_time(e.event_datetime) %></span></dd>
<% end %>
</dl>
diff --git a/app/views/timelog/_list.rhtml b/app/views/timelog/_list.rhtml
index 28f1f523959f845123aed0a12383f0ea93d15e60..6b0f970b8616fdf359d84e7e6374bfa1a8ec7d28 100644
--- a/app/views/timelog/_list.rhtml
+++ b/app/views/timelog/_list.rhtml
@@ -15,9 +15,9 @@
<% entries.each do |entry| -%>
<tr class="time-entry <%= cycle("odd", "even") %>">
<td class="spent_on"><%= format_date(entry.spent_on) %></td>
-<td class="user"><%=h entry.user %></td>
+<td class="user"><%= link_to_user(entry.user) %></td>
<td class="activity"><%=h entry.activity %></td>
-<td class="project"><%=h entry.project %></td>
+<td class="project"><%= link_to_project(entry.project) %></td>
<td class="subject">
<% if entry.issue -%>
<%= entry.issue.visible? ? link_to_issue(entry.issue, :truncate => 50) : "##{entry.issue.id}" -%>
diff --git a/app/views/trackers/index.html.erb b/app/views/trackers/index.html.erb
index ab6eba57530fa3cab5b9dcf2b505ad7bff0c8f54..c4981ccd3beda6f73f494b752ab2891dd0e4ec6f 100644
--- a/app/views/trackers/index.html.erb
+++ b/app/views/trackers/index.html.erb
@@ -14,7 +14,7 @@
<tbody>
<% for tracker in @trackers %>
<tr class="<%= cycle("odd", "even") %>">
- <td><%= link_to tracker.name, :action => 'edit', :id => tracker %></td>
+ <td><%= link_to h(tracker.name), :action => 'edit', :id => tracker %></td>
<td align="center"><% unless tracker.workflows.count > 0 %><span class="icon icon-warning"><%= l(:text_tracker_no_workflow) %> (<%= link_to l(:button_edit), {:controller => 'workflows', :action => 'edit', :tracker_id => tracker} %>)</span><% end %></td>
<td align="center" style="width:15%;"><%= reorder_links('tracker', {:action => 'edit', :id => tracker}) %></td>
<td class="buttons">
diff --git a/app/views/users/edit.rhtml b/app/views/users/edit.rhtml
index 0d9cb0133e6753760d6be3ae37c4e22e55398a9f..ccf4489d20ae07289835ae4133cd5347422bd353 100644
--- a/app/views/users/edit.rhtml
+++ b/app/views/users/edit.rhtml
@@ -7,4 +7,4 @@
<%= render_tabs user_settings_tabs %>
-<% html_title(l(:label_user), @user.login, l(:label_administration)) -%>
+<% html_title(l(:label_user), h(@user.login), l(:label_administration)) -%>
diff --git a/app/views/users/show.rhtml b/app/views/users/show.rhtml
index 520608665747b3ca84a0d6eabcff9528f476bd30..f0fe2031318cd1d88a6304c19adc3002d10150c2 100644
--- a/app/views/users/show.rhtml
+++ b/app/views/users/show.rhtml
@@ -67,4 +67,4 @@
<%= call_hook :view_account_right_bottom, :user => @user %>
</div>
-<% html_title @user.name %>
+<% html_title h(@user.name) %>
diff --git a/app/views/versions/_issue_counts.rhtml b/app/views/versions/_issue_counts.rhtml
index 38f3edbcbe6a1876ef50a28e0ec6d6af2f1b8647..58710ad9a6355b8d259879cce7ffa6ee802fd289 100644
--- a/app/views/versions/_issue_counts.rhtml
+++ b/app/views/versions/_issue_counts.rhtml
@@ -15,7 +15,7 @@
<% counts.each do |count| %>
<tr>
<td width="130px" align="right" >
- <%= link_to count[:group], {:controller => 'issues',
+ <%= link_to h(count[:group]), {:controller => 'issues',
:action => 'index',
:project_id => version.project,
:set_filter => 1,
diff --git a/app/views/versions/index.html.erb b/app/views/versions/index.html.erb
index d0c5dcac1475be74877113fcbdcfad6816533946..5b51fb4e22bed47bf920358b096838896671b3ba 100644
--- a/app/views/versions/index.html.erb
+++ b/app/views/versions/index.html.erb
@@ -4,8 +4,8 @@
<p class="nodata"><%= l(:label_no_data) %></p>
<% else %>
<div id="roadmap">
-<% @versions.each do |version| %>
- <h3 class="version"><%= tag 'a', :name => version.name %><%= link_to_version version %></h3>
+<% @versions.each do |version| %>
+ <h3 class="version"><%= tag 'a', :name => h(version.name) %><%= link_to_version version %></h3>
<%= render :partial => 'versions/overview', :locals => {:version => version} %>
<%= render(:partial => "wiki/content", :locals => {:content => version.wiki_page.content}) if version.wiki_page %>
diff --git a/app/views/versions/show.rhtml b/app/views/versions/show.rhtml
index 25d93eaf227532b04ff38f7e9f2ca90a1a41019e..9741356ff5b57c2f952cb1a7ba1f75aa0238df1b 100644
--- a/app/views/versions/show.rhtml
+++ b/app/views/versions/show.rhtml
@@ -46,4 +46,4 @@
<%= call_hook :view_versions_show_bottom, :version => @version %>
-<% html_title @version.name %>
+<% html_title h(@version.name) %>
diff --git a/app/views/wiki/annotate.rhtml b/app/views/wiki/annotate.rhtml
index dfea19581505f246d7cf7d97c7f605f1c1c4e1e1..abceb4e71a16e98f23a9583d3d2cbb403c209690 100644
--- a/app/views/wiki/annotate.rhtml
+++ b/app/views/wiki/annotate.rhtml
@@ -3,11 +3,11 @@
<%= link_to(l(:label_history), {:action => 'history', :id => @page.title}, :class => 'icon icon-history') %>
</div>
-<h2><%= @page.pretty_title %></h2>
+<h2><%= h(@page.pretty_title) %></h2>
<p>
-<%= l(:label_version) %> <%= link_to @annotate.content.version, :action => 'show', :id => @page.title, :version => @annotate.content.version %>
-<em>(<%= @annotate.content.author ? @annotate.content.author.name : "anonyme" %>, <%= format_time(@annotate.content.updated_on) %>)</em>
+<%= l(:label_version) %> <%= link_to h(@annotate.content.version), :action => 'show', :id => @page.title, :version => @annotate.content.version %>
+<em>(<%= h(@annotate.content.author ? @annotate.content.author.name : "anonyme") %>, <%= format_time(@annotate.content.updated_on) %>)</em>
</p>
<% colors = Hash.new {|k,v| k[v] = (k.size % 12) } %>
diff --git a/app/views/wiki/date_index.html.erb b/app/views/wiki/date_index.html.erb
index a0327cf4cb66a605089c4538329448643ef9585c..e1d39baefb11552243985fdb8969759f1b83e32a 100644
--- a/app/views/wiki/date_index.html.erb
+++ b/app/views/wiki/date_index.html.erb
@@ -12,7 +12,7 @@
<h3><%= format_date(date) %></h3>
<ul>
<% @pages_by_date[date].each do |page| %>
- <li><%= link_to page.pretty_title, :action => 'show', :id => page.title, :project_id => page.project %></li>
+ <li><%= link_to h(page.pretty_title), :action => 'show', :id => page.title, :project_id => page.project %></li>
<% end %>
</ul>
<% end %>
diff --git a/app/views/wiki/diff.rhtml b/app/views/wiki/diff.rhtml
index 264c677b0b004a455e16ba7cdb1d6317c155b745..6ecbb66d0adc176ef2636f03d2d358c64241a683 100644
--- a/app/views/wiki/diff.rhtml
+++ b/app/views/wiki/diff.rhtml
@@ -2,14 +2,14 @@
<%= link_to(l(:label_history), {:action => 'history', :id => @page.title}, :class => 'icon icon-history') %>
</div>
-<h2><%= @page.pretty_title %></h2>
+<h2><%= h(@page.pretty_title) %></h2>
<p>
<%= l(:label_version) %> <%= link_to @diff.content_from.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => @diff.content_from.version %>
-<em>(<%= @diff.content_from.author ? @diff.content_from.author.name : "anonyme" %>, <%= format_time(@diff.content_from.updated_on) %>)</em>
+<em>(<%= @diff.content_from.author ? link_to_user(@diff.content_from.author) : "anonyme" %>, <%= format_time(@diff.content_from.updated_on) %>)</em>
→
<%= l(:label_version) %> <%= link_to @diff.content_to.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => @diff.content_to.version %>/<%= @page.content.version %>
-<em>(<%= @diff.content_to.author ? @diff.content_to.author.name : "anonyme" %>, <%= format_time(@diff.content_to.updated_on) %>)</em>
+<em>(<%= @diff.content_to.author ? link_to_user(@diff.content_to.author) : "anonyme" %>, <%= format_time(@diff.content_to.updated_on) %>)</em>
</p>
<hr />
diff --git a/app/views/wiki/edit.rhtml b/app/views/wiki/edit.rhtml
index 5f47c3f8cc0e052b18b75946db399d9a249d20a2..0fadf9a17615e25b6ab26664fa878e1ebbd618f8 100644
--- a/app/views/wiki/edit.rhtml
+++ b/app/views/wiki/edit.rhtml
@@ -26,4 +26,4 @@
<%= robot_exclusion_tag %>
<% end %>
-<% html_title @page.pretty_title %>
+<% html_title h(@page.pretty_title) %>
diff --git a/app/views/wiki/export_multiple.rhtml b/app/views/wiki/export_multiple.rhtml
index 31fa557c72268a1f518cae2c4cbed90c1cbf6d48..df8f7401232e7c688855db73420d4bbbcb039a24 100644
--- a/app/views/wiki/export_multiple.rhtml
+++ b/app/views/wiki/export_multiple.rhtml
@@ -20,13 +20,13 @@ h1:hover a.wiki-anchor, h2:hover a.wiki-anchor, h3:hover a.wiki-anchor { display
<strong><%= l(:label_index_by_title) %></strong>
<ul>
<% @pages.each do |page| %>
- <li><a href="#<%= page.title %>"><%= page.pretty_title %></a></li>
+ <li><a href="#<%= h(page.title) %>"><%= h(page.pretty_title) %></a></li>
<% end %>
</ul>
<% @pages.each do |page| %>
<hr />
-<a name="<%= page.title %>" />
+<a name="<%= h(page.title) %>" />
<%= textilizable page.content ,:text, :wiki_links => :anchor %>
<% end %>
diff --git a/app/views/wiki/history.rhtml b/app/views/wiki/history.rhtml
index 392c3b9f1b10b9ef9f79ddca9804bfd458d32933..b31ae67359f9fd5915d794b706514b4d071ef25e 100644
--- a/app/views/wiki/history.rhtml
+++ b/app/views/wiki/history.rhtml
@@ -1,4 +1,4 @@
-<h2><%= @page.pretty_title %></h2>
+<h2><%= h(@page.pretty_title) %></h2>
<h3><%= l(:label_history) %></h3>
@@ -18,7 +18,7 @@
<% line_num = 1 %>
<% @versions.each do |ver| %>
<tr class="wiki-page-version <%= cycle("odd", "even") %>">
- <td class="id"><%= link_to ver.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => ver.version %></td>
+ <td class="id"><%= link_to h(ver.version), :action => 'show', :id => @page.title, :project_id => @page.project, :version => ver.version %></td>
<td class="checkbox"><%= radio_button_tag('version', ver.version, (line_num==1), :id => "cb-#{line_num}", :onclick => "$('cbto-#{line_num+1}').checked=true;") if show_diff && (line_num < @versions.size) %></td>
<td class="checkbox"><%= radio_button_tag('version_from', ver.version, (line_num==2), :id => "cbto-#{line_num}") if show_diff && (line_num > 1) %></td>
<td class="updated_on"><%= format_time(ver.updated_on) %></td>
diff --git a/app/views/wiki/rename.rhtml b/app/views/wiki/rename.rhtml
index f94b8bc3d665e519e584d29e2fc95708ed89da17..2defff5132c625b40fd2aec14448e09c87f281db 100644
--- a/app/views/wiki/rename.rhtml
+++ b/app/views/wiki/rename.rhtml
@@ -1,4 +1,4 @@
-<h2><%= l(:button_rename) %>: <%= @original_title %></h2>
+<h2><%= l(:button_rename) %>: <%= h(@original_title) %></h2>
<%= error_messages_for 'page' %>
diff --git a/app/views/wiki/show.rhtml b/app/views/wiki/show.rhtml
index 671bd803fd50a29efb6b78d81e88f560205b91ca..6ef522c5d43d10841bba8f386c0a7b4f97478120 100644
--- a/app/views/wiki/show.rhtml
+++ b/app/views/wiki/show.rhtml
@@ -21,7 +21,7 @@
<%= link_to((l(:label_next) + ' »'), :action => 'show', :id => @page.title, :project_id => @page.project, :version => (@content.version + 1)) + " - " if @content.version < @page.content.version %>
<%= link_to(l(:label_current_version), :action => 'show', :id => @page.title, :project_id => @page.project) %>
<br />
- <em><%= @content.author ? @content.author.name : "anonyme" %>, <%= format_time(@content.updated_on) %> </em><br />
+ <em><%= @content.author ? link_to_user(@content.author) : "anonyme" %>, <%= format_time(@content.updated_on) %> </em><br />
<%=h @content.comments %>
</p>
<hr />
@@ -61,4 +61,4 @@
<%= render :partial => 'sidebar' %>
<% end %>
-<% html_title @page.pretty_title %>
+<% html_title h(@page.pretty_title) %>
diff --git a/app/views/wikis/destroy.rhtml b/app/views/wikis/destroy.rhtml
index b5b1de114864f7c1d607047feb9562a0934c4dd6..75c0eac24d6c5e38fd97e11866ef06bf97b9e989 100644
--- a/app/views/wikis/destroy.rhtml
+++ b/app/views/wikis/destroy.rhtml
@@ -1,7 +1,7 @@
<h2><%=l(:label_confirmation)%></h2>
<div class="box"><center>
-<p><strong><%= @project.name %></strong><br /><%=l(:text_wiki_destroy_confirmation)%></p>
+<p><strong><%= h(@project.name) %></strong><br /><%=l(:text_wiki_destroy_confirmation)%></p>
<% form_tag({:controller => 'wikis', :action => 'destroy', :id => @project}) do %>
<%= hidden_field_tag "confirm", 1 %>