jacknudt
/
socialforge
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

FIX xss bug

This commit is contained in:
Jasder 2019-10-17 11:29:37 +08:00
parent 14fafc1709
commit a7f558a593
10 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/views/boards/_course_show.html.erb
View File

@ -24,7 +24,7 @@
<div class="homepageRight mt0 ml10">
<div class="homepageRightBanner">
<div class="NewsBannerName break_word" style="width: 600px;">
<%= @board.parent_id.nil? ? "班级讨论区" : "#{@board.name}" %>
<%= @board.parent_id.nil? ? "班级讨论区" : "#{h @board.name}" %>
</div>
<% is_teacher = User.current.logged? && (User.current.admin? || User.current.allowed_to?(:as_teacher,@board.course)) %>

4
app/views/boards/_sy_board_history.html.erb
View File

@ -18,9 +18,9 @@
<div class="list-file">
<div><span class="item_list fl"></span>
<% if activity.parent_id.nil? %> <!--+"(帖子标题)"-->
<%= link_to activity.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :target => '_blank', :class => "list-title-normal fl" %>
<%= link_to h(activity.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :target => '_blank', :class => "list-title-normal fl" %>
<% else %>
<%= link_to activity.parent.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :target => '_blank', :class => "list-title-normal f1" %>
<%= link_to h(activity.parent.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :target => '_blank', :class => "list-title-normal f1" %>
<% end %>
<% if activity.sticky == 1 %>
<span class="fl ml10 red-cir-btn">顶</span>

2
app/views/layouts/_contest_board_children_list.html.erb
View File

@ -5,7 +5,7 @@
<li id="board_children_<%=board.id %>">
<% count = board ? board.messages.count : 0 %>
<a href="<%=contest_boards_path(@contest, :board_id =>board.id) %>">
<font class="hidden dis" style="max-width: 120px;"><%=board.name %></font>
<font class="hidden dis" style="max-width: 120px;"><%= h board.name %></font>
<span style="vertical-align: top;"><%=count %></span>
</a>
<% if User.current.logged? && is_admin %>

4
app/views/messages/_course_show.html.erb
View File

@ -65,7 +65,7 @@
</div>
<%end%>
<div class="postDetailTitle fl break_full_word">
<a href="javascript:void(0);" class="f14 linkGrey4 fb" style="overflow:hidden;">主题: <%= @topic.subject%></a>
<a href="javascript:void(0);" class="f14 linkGrey4 fb" style="overflow:hidden;">主题: <%= h @topic.subject%></a>
</div>
<div class="cl"></div>
<div class="postDetailCreater">
@ -74,7 +74,7 @@
<div class="postDetailDate mb5"><%= format_time( @topic.created_on)%></div>
<div class="cl"></div>
<div class="homepagePostIntro memo-content upload_img break_full_word ke-block" id="message_description_<%= @topic.id %>" >
<%= @topic.content.html_safe%>
<%= h @topic.content %>
</div>
<div class="cl"></div>
<div class="mt10" style="font-weight:normal;">

2
app/views/messages/_course_show_replies.html.erb
View File

@ -13,7 +13,7 @@
<%= render :partial => 'users/message_contents', :locals => {:comment => reply, :type => 'Message', :user_activity_id => @topic.id}%>
<div class="homepagePostReplyContent upload_img break_word table_maxWidth" id="reply_message_description_<%= reply.id %>">
<%= reply.content.html_safe%>
<%= h reply.content %>
</div>
<div class="orig_reply mb10 mt-10">
<div class="reply">

4
app/views/users/_comment_reply_detail.html.erb
View File

@ -17,9 +17,9 @@
<p><%= string %></p>
<% end %>
<% end %>
<P><%= comment.content_detail.html_safe %></P>
<P><%= h comment.content_detail.html_safe %></P>
<% else %>
<%= comment.content_detail.html_safe %>
<%= h comment.content_detail.html_safe %>
<% end %>
</div>
<div class="orig_reply mt-10 pr" style="height: 18px;">

4
app/views/users/_course_boardlist.html.erb
View File

@ -24,9 +24,9 @@
<div class="list-file">
<div><span class="item_list fl"></span>
<% if activity.parent_id.nil? %> <!--+"(帖子标题)"-->
<%= link_to activity.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class => "list-title-normal fl" %>
<%= link_to h(activity.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class => "list-title-normal fl" %>
<% else %>
<%= link_to activity.parent.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class => "list-title-normal f1" %>
<%= link_to h(activity.parent.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class => "list-title-normal f1" %>
<% end %>
<% if activity.sticky == 1 %>
<span class="fl ml10 red-cir-btn">顶</span>

8
app/views/users/_course_message.html.erb
View File

@ -13,9 +13,9 @@
</div>
<div class="homepagePostTitle hidden m_w530 fl">
<% if activity.parent_id.nil? %> <!--+"(帖子标题)"-->
<%= link_to activity.subject.to_s.html_safe, board_message_path(activity.board_id, activity), :class=> "postGrey" %>
<%= link_to h(activity.subject.to_s), board_message_path(activity.board_id, activity), :class=> "postGrey" %>
<% else %>
<%= link_to activity.parent.subject.to_s.html_safe, board_message_path(activity.board_id, activity), :class=> "postGrey" %>
<%= link_to h(activity.parent.subject.to_s), board_message_path(activity.board_id, activity), :class=> "postGrey" %>
<% end %>
</div>
<% if activity.sticky == 1 %>
@ -33,9 +33,9 @@
</div>
<div class="cl"></div>
<% if activity.parent_id.nil? %>
<% content = activity.content %>
<% content = h activity.content %>
<% else %>
<% content = activity.parent.content %>
<% content = h activity.parent.content %>
<% end %>
<%=render :partial =>"users/intro_content", :locals=>{:user_activity_id =>user_activity_id, :content=>content} %>
<div class="cl"></div>

2
app/views/users/_message_replies.html.erb
View File

@ -15,7 +15,7 @@
<% if !comment.content_detail.blank? %>
<div class="homepagePostReplyContent break_word list_style upload_img table_maxWidth" id="reply_content_<%= comment.id %>">
<%= comment.content_detail.html_safe %>
<%= h comment.content_detail %>
</div>
<div class="orig_reply mb10 mt-10">
<div class="reply">

4
app/views/users/_project_boardlist.html.erb
View File

@ -20,9 +20,9 @@
<div class="list-file">
<div><span class="item_list fl"></span>
<% if activity.parent_id.nil? %> <!--+"(帖子标题)"-->
<%= link_to activity.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class=> "list-title-normal fl", :style => "max-width:950px;" %>
<%= link_to h(activity.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class=> "list-title-normal fl", :style => "max-width:950px;" %>
<% else %>
<%= link_to activity.parent.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class=> "list-title-normal f1", :style => "max-width:950px;" %>
<%= link_to h(activity.parent.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class=> "list-title-normal f1", :style => "max-width:950px;" %>
<% end %>
<% if activity.sticky == 1 %>
<span class="fl ml10 red-cir-btn">顶</span>