From 2d3655cd1403d354717ee4cb704c35a061e4b561 Mon Sep 17 00:00:00 2001
From: Josh Frye <joshfng@gmail.com>
Date: Tue, 12 Jan 2016 14:15:59 -0500
Subject: sanitize user supplied input.

---
 app/views/abuse_reports/new.html.haml |  2 +-
 app/views/users/show.html.haml        | 25 +------------------------
 2 files changed, 2 insertions(+), 25 deletions(-)

diff --git a/app/views/abuse_reports/new.html.haml b/app/views/abuse_reports/new.html.haml
index 8d31182a3e6..f125ecf7be5 100644
--- a/app/views/abuse_reports/new.html.haml
+++ b/app/views/abuse_reports/new.html.haml
@@ -16,7 +16,7 @@
   .form-group
     = f.label :message, class: 'control-label'
     .col-sm-10
-      = f.text_area :message, class: "form-control js-quick-submit", rows: 2, required: true, value: @ref_url
+      = f.text_area :message, class: "form-control js-quick-submit", rows: 2, required: true, value: sanitize(@ref_url)
       .help-block
         Explain the problem with this user. If appropriate, provide a link to the relevant issue or comment.
 
diff --git a/app/views/users/show.html.haml b/app/views/users/show.html.haml
index 7125b01c3ff..3bfd781e51d 100644
--- a/app/views/users/show.html.haml
+++ b/app/views/users/show.html.haml
@@ -20,7 +20,7 @@
             data: { toggle: 'tooltip', placement: 'left', container: 'body' }}
             = icon('exclamation-circle')
         - else
-          = link_to new_abuse_report_path(user_id: @user.id), class: 'btn btn-gray',
+          = link_to new_abuse_report_path(user_id: @user.id, ref_url: request.referrer), class: 'btn btn-gray',
             title: 'Report abuse', data: {toggle: 'tooltip', placement: 'left', container: 'body'} do
             = icon('exclamation-circle')
     - if current_user
@@ -93,30 +93,7 @@
             %h4.center.light
               %i.fa.fa-spinner.fa-spin
         .user-calendar-activities
-  .cover-controls
-    - if @user == current_user
-      = link_to profile_path, class: 'btn btn-gray' do
-        = icon('pencil')
-    - elsif current_user
-      %span.report-abuse
-        - if @user.abuse_report
-          %button.btn.btn-danger{ title: 'Already reported for abuse',
-            data: { toggle: 'tooltip', placement: 'left', container: 'body' }}
-            = icon('exclamation-circle')
-        - else
-          = link_to new_abuse_report_path(user_id: @user.id, ref_url: request.referrer), class: 'btn btn-gray',
-            title: 'Report abuse', data: {toggle: 'tooltip', placement: 'left', container: 'body'} do
-            = icon('exclamation-circle')
-    - if current_user
-      &nbsp;
-      = link_to user_path(@user, :atom, { private_token: current_user.private_token }), class: 'btn btn-gray' do
-        = icon('rss')
 
-.gray-content-block.second-block
-  .user-calendar
-    %h4.center.light
-      %i.fa.fa-spinner.fa-spin
-  .user-calendar-activities
 
       .content_list
       = spinner
-- 
cgit v1.2.1