sanitize user supplied input.

2d3655cd · Josh Frye · c70ed7f2 · 2d3655cd · 2d3655cd
Commit 2d3655cd authored 9 years ago by Josh Frye
--- a/app/views/abuse_reports/new.html.haml
+++ b/app/views/abuse_reports/new.html.haml
@@ -16,7 +16,7 @@
  .form-group
    = f.label :message, class: 'control-label'
    .col-sm-10
-      = f.text_area :message, class: "form-control js-quick-submit", rows: 2, required: true, value: @ref_url
+      = f.text_area :message, class: "form-control js-quick-submit", rows: 2, required: true, value: sanitize(@ref_url)
      .help-block
        Explain the problem with this user. If appropriate, provide a link to the relevant issue or comment.
  

--- a/app/views/users/show.html.haml
+++ b/app/views/users/show.html.haml
@@ -20,7 +20,7 @@
            data: { toggle: 'tooltip', placement: 'left', container: 'body' }}
            = icon('exclamation-circle')
        - else
-          = link_to new_abuse_report_path(user_id: @user.id), class: 'btn btn-gray',
+          = link_to new_abuse_report_path(user_id: @user.id, ref_url: request.referrer), class: 'btn btn-gray',
            title: 'Report abuse', data: {toggle: 'tooltip', placement: 'left', container: 'body'} do
            = icon('exclamation-circle')
    - if current_user
@@ -93,30 +93,7 @@
            %h4.center.light
              %i.fa.fa-spinner.fa-spin
        .user-calendar-activities
-  .cover-controls
-    - if @user == current_user
-      = link_to profile_path, class: 'btn btn-gray' do
-        = icon('pencil')
-    - elsif current_user
-      %span.report-abuse
-        - if @user.abuse_report
-          %button.btn.btn-danger{ title: 'Already reported for abuse',
-            data: { toggle: 'tooltip', placement: 'left', container: 'body' }}
-            = icon('exclamation-circle')
-        - else
-          = link_to new_abuse_report_path(user_id: @user.id, ref_url: request.referrer), class: 'btn btn-gray',
-            title: 'Report abuse', data: {toggle: 'tooltip', placement: 'left', container: 'body'} do
-            = icon('exclamation-circle')
-    - if current_user
-      &nbsp;
-      = link_to user_path(@user, :atom, { private_token: current_user.private_token }), class: 'btn btn-gray' do
-        = icon('rss')
  
-.gray-content-block.second-block
-  .user-calendar
-    %h4.center.light
-      %i.fa.fa-spinner.fa-spin
-  .user-calendar-activities
  
      .content_list
      = spinner