Escape special chars for comments’ text and author.

author: Stefan Daschek <[email protected]> 2013-07-03 16:37:35 +0200
committer: Stefan Daschek <[email protected]> 2013-07-03 16:37:35 +0200
commit: 7bb62e8870ae369a9b2423c87d5e0875873c3834 (patch)
tree: 3a8b97764a3efb5de493276e7cc1c1d26eb80837 /lib/axlsx/workbook/worksheet/comment.rb
parent: c26177a9ec5de20a5e3ecbac635e8ce209102645 (diff)
download: caxlsx-7bb62e8870ae369a9b2423c87d5e0875873c3834.tar.gz
caxlsx-7bb62e8870ae369a9b2423c87d5e0875873c3834.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/axlsx/workbook/worksheet/comment.rb b/lib/axlsx/workbook/worksheet/comment.rb
index 0c885fda..eee2b58a 100644
--- a/lib/axlsx/workbook/worksheet/comment.rb
+++ b/lib/axlsx/workbook/worksheet/comment.rb
@@ -66,11 +66,11 @@ module Axlsx
       str << '<comment ref="' << ref << '" authorId="' << author_index.to_s << '">'
       str << '<text><r>'
       str << '<rPr> <b/><color indexed="81"/></rPr>'
-      str << '<t>' << author.to_s << ':
+      str << '<t>' << ::CGI.escapeHTML(author.to_s) << ':
 </t></r>'
       str << '<r>'
       str << '<rPr><color indexed="81"/></rPr>'
-      str << '<t>' << text << '</t></r></text>'
+      str << '<t>' << ::CGI.escapeHTML(text) << '</t></r></text>'
       str << '</comment>'
     end
author	Stefan Daschek <[email protected]>	2013-07-03 16:37:35 +0200
committer	Stefan Daschek <[email protected]>	2013-07-03 16:37:35 +0200
commit	7bb62e8870ae369a9b2423c87d5e0875873c3834 (patch)
tree	3a8b97764a3efb5de493276e7cc1c1d26eb80837 /lib/axlsx/workbook/worksheet/comment.rb
parent	c26177a9ec5de20a5e3ecbac635e8ce209102645 (diff)
download	caxlsx-7bb62e8870ae369a9b2423c87d5e0875873c3834.tar.gz caxlsx-7bb62e8870ae369a9b2423c87d5e0875873c3834.zip