From 7e38ac845f72c367c5cada1e7565719291707056 Mon Sep 17 00:00:00 2001
From: cktricky <ken.johnson@nvisiumsecurity.com>
Date: Thu, 11 Sep 2014 11:13:15 -0400
Subject: [PATCH] oops, omitted a couple important features/vulnerabilities

---
 app/models/user.rb                        | 4 ++--
 app/views/layouts/shared/_header.html.erb | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 23922eb..9c5cc7f 100755
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -62,7 +62,7 @@ class User < ActiveRecord::Base
     return auth
   end
 
-#=begin
+=begin
   # More secure version, still lacking a decent hashing routine, this is for timing attack prevention
   def self.authenticate(email, password)
        user = find_by_email(email) || User.new(:password => "")
@@ -72,7 +72,7 @@ class User < ActiveRecord::Base
           raise "Incorrect username or password"
         end
    end
-#=end
+=end
 
   def assign_user_id
     unless @skip_user_id_assign.present? || self.user_id.present?
diff --git a/app/views/layouts/shared/_header.html.erb b/app/views/layouts/shared/_header.html.erb
index b2ee16d..0be9691 100755
--- a/app/views/layouts/shared/_header.html.erb
+++ b/app/views/layouts/shared/_header.html.erb
@@ -26,7 +26,7 @@
     going on with funny chars and jquery, plus it says safe so I'm guessing
     nothing bad will happen
     -->
-    Welcome, <%= current_user.first_name %>
+    Welcome, <%= current_user.first_name.html_safe %>
      </li>
      <li>
     <%= button_to "RailsGoat Tutorials", tutorials_path, {:class => "btn btn-primary", :method => "get"}%>