From c94d1f58b28cfb9f6554f162160ff7fd0f6699e6 Mon Sep 17 00:00:00 2001
From: Reinier Balt <lrbalt@gmail.com>
Date: Fri, 11 Mar 2011 15:14:45 +0100
Subject: [PATCH] fix XSS vunerability. Thanks Mesut Timur for spotting this!

---
 app/controllers/todos_controller.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/todos_controller.rb b/app/controllers/todos_controller.rb
index fc431138..61892c55 100644
--- a/app/controllers/todos_controller.rb
+++ b/app/controllers/todos_controller.rb
@@ -517,7 +517,7 @@ class TodosController < ApplicationController
   def tag
     init_data_for_sidebar unless mobile?
     @source_view = params['_source_view'] || 'tag'
-    @tag_name = params[:name]
+    @tag_name = sanitize(params[:name]) # sanitize to prevent XSS vunerability!
     @page_title = t('todos.tagged_page_title', :tag_name => @tag_name)
     
     # mobile tags are routed with :name ending on .m. So we need to chomp it
@@ -1334,4 +1334,4 @@ class TodosController < ApplicationController
           
   end
 
-end
\ No newline at end of file
+end