From 0e7349ca4844ce8987257954a98c41a84b792afe Mon Sep 17 00:00:00 2001
From: Albert Yi <albert@carbonfive.com>
Date: Tue, 22 May 2018 14:47:00 -0700
Subject: [PATCH] fix xss vuln

---
 app/assets/javascripts/related_tag.js.erb | 2 +-
 app/views/artists/_form.html.erb          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/assets/javascripts/related_tag.js.erb b/app/assets/javascripts/related_tag.js.erb
index 1d05d4704..352eda78c 100644
--- a/app/assets/javascripts/related_tag.js.erb
+++ b/app/assets/javascripts/related_tag.js.erb
@@ -236,7 +236,7 @@
           if (desc.length > 30) {
             desc = desc.substring(0, 30) + "...";
           }
-          var $del = $("<del/>").html(desc);
+          var $del = $("<del/>").text(desc);
           $ul.append($("<li/>").html($del));
         } else if (text.match(/^ http/)) {
           text = text.substring(1, 1000);
diff --git a/app/views/artists/_form.html.erb b/app/views/artists/_form.html.erb
index 0a70e2acc..d65d04624 100644
--- a/app/views/artists/_form.html.erb
+++ b/app/views/artists/_form.html.erb
@@ -16,7 +16,7 @@
   </div>
   <%= f.input :other_names_comma, :hint => "Separate with commas", :as => :text, :label => "Other names" %>
   <%= f.input :group_name %>
-  <%= f.input :url_string, :label => "URLs", :as => :text, :input_html => {:size => "50x5", :value => params.dig(:artist, :url_string) || @artist.url_array.join("\n")} %>
+  <%= f.input :url_string, :label => "URLs", :as => :text, :input_html => {:size => "50x5", :value => params.dig(:artist, :url_string) || @artist.urls.join("\n")} %>
 
   <%= dtext_field "artist", "notes" %>
   <%= f.button :submit, "Submit" %>