diff --git a/web/Gemfile b/web/Gemfile index 288fe86b4..64aa3c08c 100644 --- a/web/Gemfile +++ b/web/Gemfile @@ -77,6 +77,7 @@ gem 'rest_client' gem 'iso-639' gem 'language_list' gem 'rubyzip' +gem 'htmlentities' group :development, :test do gem 'rspec-rails', '2.14.2' diff --git a/web/app/assets/javascripts/dialog/commentDialog.js b/web/app/assets/javascripts/dialog/commentDialog.js index 794ee141b..958d6ec27 100644 --- a/web/app/assets/javascripts/dialog/commentDialog.js +++ b/web/app/assets/javascripts/dialog/commentDialog.js @@ -71,7 +71,7 @@ user_id: userId, hoverAction: musician ? "musician" : "fan", name: userName, - comment: comment, + comment: context._.unescape(comment), timeago: timeago }; diff --git a/web/app/assets/javascripts/web/session_info.js b/web/app/assets/javascripts/web/session_info.js index d95684437..2d76b7d80 100644 --- a/web/app/assets/javascripts/web/session_info.js +++ b/web/app/assets/javascripts/web/session_info.js @@ -39,7 +39,7 @@ user_id: userId, hoverAction: "musician", name: userName, - comment: comment, + comment: context._.unescape(comment), timeago: timeago }); diff --git a/web/app/assets/javascripts/web/sessions.js b/web/app/assets/javascripts/web/sessions.js index 4686f34dc..e6727fb91 100644 --- a/web/app/assets/javascripts/web/sessions.js +++ b/web/app/assets/javascripts/web/sessions.js @@ -39,7 +39,7 @@ user_id: userId, hoverAction: musician ? "musician" : "fan", name: userName, - comment: comment, + comment: context._.unescape(comment), timeago: timeago }); diff --git a/web/app/controllers/api_controller.rb b/web/app/controllers/api_controller.rb index 85d425c82..b27e41e9b 100644 --- a/web/app/controllers/api_controller.rb +++ b/web/app/controllers/api_controller.rb @@ -1,6 +1,7 @@ class ApiController < ApplicationController @@log = Logging.logger[ApiController] + @@html_encoder = HTMLEntities.new # define common error handlers rescue_from 'JamRuby::StateError' do |exception| diff --git a/web/app/controllers/api_music_sessions_controller.rb b/web/app/controllers/api_music_sessions_controller.rb index eae4ec2fb..f3f460b50 100644 --- a/web/app/controllers/api_music_sessions_controller.rb +++ b/web/app/controllers/api_music_sessions_controller.rb @@ -469,7 +469,7 @@ class ApiMusicSessionsController < ApiController comment = MusicSessionComment.new comment.music_session_id = params[:id] comment.creator_id = params[:user_id] - comment.comment = params[:comment] + comment.comment = @@html_encoder.encode(params[:comment]) comment.ip_address = request.remote_ip comment.save @@ -496,7 +496,7 @@ class ApiMusicSessionsController < ApiController comment = SessionInfoComment.new comment.music_session_id = params[:id] comment.creator_id = current_user.id - comment.comment = params[:comment] + comment.comment = @@html_encoder.encode(params[:comment]) comment.save if comment.errors.any? diff --git a/web/app/controllers/api_recordings_controller.rb b/web/app/controllers/api_recordings_controller.rb index 75e3ea6f4..66c5625f9 100644 --- a/web/app/controllers/api_recordings_controller.rb +++ b/web/app/controllers/api_recordings_controller.rb @@ -108,7 +108,7 @@ class ApiRecordingsController < ApiController comment = RecordingComment.new comment.recording_id = params[:id] comment.creator_id = params[:user_id] - comment.comment = params[:comment] + comment.comment = @@html_encoder.encode(params[:comment]) comment.ip_address = request.remote_ip comment.save