From 128e90398e923875ae1ba00778f7b147c2644e28 Mon Sep 17 00:00:00 2001
From: Kyle Drake <kyle@kyledrake.net>
Date: Sun, 21 Dec 2014 08:55:18 +0000
Subject: [PATCH] Escape query string params

---
 views/site_files/text_editor.erb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/views/site_files/text_editor.erb b/views/site_files/text_editor.erb
index 1c5bb0cc..c3657647 100644
--- a/views/site_files/text_editor.erb
+++ b/views/site_files/text_editor.erb
@@ -113,7 +113,7 @@
     if(unsavedChanges == false)
       return
     $.ajax({
-      url: '/site_files/save/<%= @filename %>?csrf_token=<%= csrf_token %>',
+      url: '/site_files/save/<%= Rack::Utils.escape @filename %>?csrf_token=<%= Rack::Utils.escape csrf_token %>',
       data: editor.getValue(),
       processData: false,
       contentType: false,
@@ -185,4 +185,4 @@
     return true
   })
 
-</script>
\ No newline at end of file
+</script>