xss fix

app/views/dmsf_files/show.html.erb

@@ -112,7 +112,7 @@
           <% if revision.description.present? %>
             <div class="status attribute">
               <%= content_tag :div, l(:label_description), :class => 'label' %>
-              <% text = clean_wiki_text(textilizable(revision.description)) %>
+              <% text = clean_wiki_text(textilizable(h revision.description)) %>
               <%= content_tag :div, text.html_safe, :class => 'value wiki' %>
             </div>
           <% end %>
@@ -141,7 +141,7 @@
           <% if revision.comment.present? %>
             <div class="status attribute">
               <%= content_tag :div, l(:label_comment), :class => 'label' %>
-              <% text = clean_wiki_text(textilizable(revision.comment)) %>
+              <% text = clean_wiki_text(textilizable(h revision.comment)) %>
               <%= content_tag :div, text.html_safe, :class => 'value wiki' %>
             </div>
           <% end %>

lib/redmine_dmsf/hooks/views/issue_view_hooks.rb

@@ -208,11 +208,11 @@ module RedmineDmsf
             :title => h(dmsf_file.last_revision.try(:tooltip)),
             'data-downloadurl' => "#{dmsf_file.last_revision.detect_content_type}:#{h(dmsf_file.name)}:#{file_view_url}")
           html << "<span class=\"size\">(#{number_to_human_size(dmsf_file.last_revision.size)})</span>"
-          html << " - #{dmsf_file.description}" unless dmsf_file.description.blank?
+          html << " - #{h(dmsf_file.description)}" unless dmsf_file.description.blank?
         html << '</td>'
         # Author, updated at
         html << '<td>'
-          html << "<span class=\"author\">#{dmsf_file.last_revision.user}, #{format_time(dmsf_file.last_revision.updated_at)}</span>"
+          html << "<span class=\"author\">#{h(dmsf_file.last_revision.user)}, #{format_time(dmsf_file.last_revision.updated_at)}</span>"
         html << '</td>'
         # Command icons
         html << '<td class="fast-icons easy-query-additional-ending-buttons hide-when-print">'