Sanitize output well, but entity-ize < and > in notes

Coming from a rich message or API call, notes can contain HTML and it will render to the browser. Coming from a normal todo creation, though, all < and > characters will be replaced with the corresponding entities. This preserves HTML emails, but prevents users from breaking the layout by entering broken HTML for todo notes. Closes #765
2026-02-05 15:31:47 +01:00 · 2010-04-07 10:06:46 -04:00 · 2010-04-07 10:06:46 -04:00 · 68701adaca
commit 68701adaca
parent fdba48c769
3 changed files with 17 additions and 4 deletions
--- a/app/models/todo.rb
+++ b/app/models/todo.rb
@ -286,7 +286,15 @@ class Todo < ActiveRecord::Base
  def active_to_block
    return successors.find_all {|t| t.active? or t.deferred?}
  end
-  
+
+  def notes=(value)
+    super(value.gsub(/</, '&lt;').gsub(/>/, '&gt;'))
+  end
+
+  def raw_notes=(value)
+    self[:notes] = value
+  end
+
  # Rich Todo API
  
  def self.from_rich_message(user, default_context_id, description, notes)
@ -324,7 +332,7 @@ class Todo < ActiveRecord::Base
    
    todo = user.todos.build
    todo.description = description
-    todo.notes = notes
+    todo.raw_notes = notes
    todo.context_id = context_id
    todo.project_id = project_id unless project_id.nil?
    return todo