Escape (some) channel names in frontend

This commit is contained in:
syeopite 2021-06-26 19:20:50 -07:00
parent 78da8f8899
commit 14cd6c829c
No known key found for this signature in database
GPG Key ID: 6FA616E5A5294A82
7 changed files with 10 additions and 10 deletions

View File

@ -320,7 +320,7 @@ def template_youtube_comments(comments, locale, thin_mode, is_replies = false)
<div class="pure-u-20-24 pure-u-md-22-24"> <div class="pure-u-20-24 pure-u-md-22-24">
<p> <p>
<b> <b>
<a class="#{child["authorIsChannelOwner"] == true ? "channel-owner" : ""}" href="#{child["authorUrl"]}">#{child["author"]}</a> <a class="#{child["authorIsChannelOwner"] == true ? "channel-owner" : ""}" href="#{child["authorUrl"]}">#{HTML.escape(child["author"].to_s)}</a>
</b> </b>
<p style="white-space:pre-wrap">#{child["contentHtml"]}</p> <p style="white-space:pre-wrap">#{child["contentHtml"]}</p>
END_HTML END_HTML
@ -458,7 +458,7 @@ def template_reddit_comments(root, locale)
html << <<-END_HTML html << <<-END_HTML
<p> <p>
<a href="javascript:void(0)" data-onclick="toggle_parent">[ - ]</a> <a href="javascript:void(0)" data-onclick="toggle_parent">[ - ]</a>
<b><a href="https://www.reddit.com/user/#{child.author}">#{child.author}</a></b> <b><a href="https://www.reddit.com/user/#{child.author}">#{HTML.escape(child.author)}</a></b>
#{translate(locale, "`x` points", number_with_separator(child.score))} #{translate(locale, "`x` points", number_with_separator(child.score))}
<span title="#{child.created_utc.to_s(translate(locale, "%a %B %-d %T %Y UTC"))}">#{translate(locale, "`x` ago", recode_date(child.created_utc, locale))}</span> <span title="#{child.created_utc.to_s(translate(locale, "%a %B %-d %T %Y UTC"))}">#{translate(locale, "`x` ago", recode_date(child.created_utc, locale))}</span>
<a href="https://www.reddit.com#{child.permalink}" title="#{translate(locale, "permalink")}">#{translate(locale, "permalink")}</a> <a href="https://www.reddit.com#{child.permalink}" title="#{translate(locale, "permalink")}">#{translate(locale, "permalink")}</a>

View File

@ -37,7 +37,7 @@
<% end %> <% end %>
</a> </a>
<div class="featured-channel-about"> <div class="featured-channel-about">
<p class="featured-channel-title"><a href="/channel/<%= item.ucid %>"><%= item.author %></a></p> <p class="featured-channel-title"><a href="/channel/<%= item.ucid %>"><%= HTML.escape(item.author) %></a></p>
<div class="featured-channel-metadata"> <div class="featured-channel-metadata">
<p><%= translate(locale, "`x` subscribers", number_with_separator(item.subscriber_count)) %></p> <p><%= translate(locale, "`x` subscribers", number_with_separator(item.subscriber_count)) %></p>
<p><%= translate(locale, "`x` videos", number_with_separator(item.video_count)) %></p> <p><%= translate(locale, "`x` videos", number_with_separator(item.video_count)) %></p>
@ -63,7 +63,7 @@
<% end %> <% end %>
</a> </a>
<div class="featured-channel-about"> <div class="featured-channel-about">
<p class="featured-channel-title"><a href="/channel/<%= item.ucid %>"><%= item.author %></a></p> <p class="featured-channel-title"><a href="/channel/<%= item.ucid %>"><%= HTML.escape(item.author) %></a></p>
<div class="featured-channel-metadata"> <div class="featured-channel-metadata">
<span><%= translate(locale, "`x` subscribers", number_with_separator(item.subscriber_count)) %></span> <span><%= translate(locale, "`x` subscribers", number_with_separator(item.subscriber_count)) %></span>
<span class="seperator"> | </span> <span class="seperator"> | </span>

View File

@ -36,7 +36,7 @@
<div class="pure-u-2-3"> <div class="pure-u-2-3">
<div class="channel-profile"> <div class="channel-profile">
<img src="/ggpht<%= URI.parse(channel.author_thumbnail).request_target %>"> <img src="/ggpht<%= URI.parse(channel.author_thumbnail).request_target %>">
<span><%= channel.author %></span> <span><%= HTML.escape(channel.author) %></span>
</div> </div>
</div> </div>
<div class="pure-u-1-3" style="text-align:right"> <div class="pure-u-1-3" style="text-align:right">

View File

@ -8,7 +8,7 @@
<div class="pure-u-2-3"> <div class="pure-u-2-3">
<h3><input class="pure-input-1" maxlength="150" name="title" type="text" value="<%= playlist.title %>"></h3> <h3><input class="pure-input-1" maxlength="150" name="title" type="text" value="<%= playlist.title %>"></h3>
<b> <b>
<%= playlist.author %> | <%= HTML.escape(playlist.author) %> |
<%= translate(locale, "`x` videos", "#{playlist.video_count}") %> | <%= translate(locale, "`x` videos", "#{playlist.video_count}") %> |
<%= translate(locale, "Updated `x` ago", recode_date(playlist.updated, locale)) %> | <%= translate(locale, "Updated `x` ago", recode_date(playlist.updated, locale)) %> |
<i class="icon <%= {"ion-md-globe", "ion-ios-unlock", "ion-ios-lock"}[playlist.privacy.value] %>"></i> <i class="icon <%= {"ion-md-globe", "ion-ios-unlock", "ion-ios-lock"}[playlist.privacy.value] %>"></i>

View File

@ -11,7 +11,7 @@
<% if playlist.author == user.try &.email %> <% if playlist.author == user.try &.email %>
<a href="/view_all_playlists"><%= playlist.author %></a> | <a href="/view_all_playlists"><%= playlist.author %></a> |
<% else %> <% else %>
<%= playlist.author %> | <%= HTML.escape(playlist.author) %> |
<% end %> <% end %>
<%= translate(locale, "`x` videos", "#{playlist.video_count}") %> | <%= translate(locale, "`x` videos", "#{playlist.video_count}") %> |
<%= translate(locale, "Updated `x` ago", recode_date(playlist.updated, locale)) %> | <%= translate(locale, "Updated `x` ago", recode_date(playlist.updated, locale)) %> |
@ -26,7 +26,7 @@
</b> </b>
<% else %> <% else %>
<b> <b>
<a href="/channel/<%= playlist.ucid %>"><%= playlist.author %></a> | <a href="/channel/<%= playlist.ucid %>"><%= HTML.escape(playlist.author) %></a> |
<%= translate(locale, "`x` videos", "#{playlist.video_count}") %> | <%= translate(locale, "`x` videos", "#{playlist.video_count}") %> |
<%= translate(locale, "`x` videos", "#{playlist.views}") %> | <%= translate(locale, "`x` videos", "#{playlist.views}") %> |
<%= translate(locale, "Updated `x` ago", recode_date(playlist.updated, locale)) %> <%= translate(locale, "Updated `x` ago", recode_date(playlist.updated, locale)) %>

View File

@ -31,7 +31,7 @@
<div class="pure-g<% if channel.deleted %> deleted <% end %>"> <div class="pure-g<% if channel.deleted %> deleted <% end %>">
<div class="pure-u-2-5"> <div class="pure-u-2-5">
<h3 style="padding-left:0.5em"> <h3 style="padding-left:0.5em">
<a href="/channel/<%= channel.id %>"><%= channel.author %></a> <a href="/channel/<%= channel.id %>"><%= HTML.escape(channel.author) %></a>
</h3> </h3>
</div> </div>
<div class="pure-u-2-5"></div> <div class="pure-u-2-5"></div>

View File

@ -227,7 +227,7 @@ we're going to need to do it here in order to allow for translations.
<% if !video.author_thumbnail.empty? %> <% if !video.author_thumbnail.empty? %>
<img src="/ggpht<%= URI.parse(video.author_thumbnail).request_target %>"> <img src="/ggpht<%= URI.parse(video.author_thumbnail).request_target %>">
<% end %> <% end %>
<span id="channel-name"><%= video.author %></span> <span id="channel-name"><%= HTML.escape(video.author) %></span>
</div> </div>
</a> </a>