From 40f1732234d62fb4bf6d130da6bfa2e8c92fd241 Mon Sep 17 00:00:00 2001
From: Hans de Graaff <hans@degraaff.org>
Date: Fri, 2 Jan 2009 13:51:49 +0100
Subject: [PATCH] Don't run double sanitation on a string.

This messes up legitimate markup returned by sanitize, such as &lt; when
a description contains '<'.
---
 app/views/todos/_todo.html.erb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/views/todos/_todo.html.erb b/app/views/todos/_todo.html.erb
index 231eaf97..1c317c3f 100644
--- a/app/views/todos/_todo.html.erb
+++ b/app/views/todos/_todo.html.erb
@@ -13,7 +13,7 @@
     <div class="description<%= staleness_class( todo ) %>">
       <% unless @todo.completed? %><span class="defer-container"><%= defer_link(1) %> <%= defer_link(7) %></span><% end %>
       <%= date_span -%>
-      <span class="todo.descr"><%= h sanitize(todo.description) %></span>
+      <span class="todo.descr"><%= sanitize(todo.description) %></span>
       <%= link_to(
         image_tag("recurring16x16.png"),
         {:controller => "recurring_todos", :action => "index"},
@@ -31,4 +31,4 @@
     <% end -%>
   </div>
 </div>
-<%=  apply_behaviour ".date_clear:click","var selector_x = this.getAttribute('id').replace('_x', ''); $(selector_x).value='';" %>
\ No newline at end of file
+<%=  apply_behaviour ".date_clear:click","var selector_x = this.getAttribute('id').replace('_x', ''); $(selector_x).value='';" %>