Sanitize output well, but entity-ize < and > in notes

Coming from a rich message or API call, notes can contain HTML and it
will render to the browser. Coming from a normal todo creation, though,
all < and > characters will be replaced with the corresponding entities.
This preserves HTML emails, but prevents users from breaking the layout
by entering broken HTML for todo notes.

Closes #765

app/helpers/application_helper.rb

@@ -202,11 +202,15 @@ module ApplicationHelper
   end
 
   def format_note(note)
-    note.gsub!(/</, '&lt;') # eliminate tags
-    note.gsub!(/>/, '&gt;')
     note = markdown(note)
     note = auto_link_message(note)
     note = auto_link(note)
+
+    # add onenote and message protocols
+    Sanitize::Config::RELAXED[:protocols]['a']['href'] << 'onenote'
+    Sanitize::Config::RELAXED[:protocols]['a']['href'] << 'message'
+
+    note = Sanitize.clean(note, Sanitize::Config::RELAXED)
     return note
   end
 end

app/models/todo.rb

@@ -286,7 +286,15 @@ class Todo < ActiveRecord::Base
   def active_to_block
     return successors.find_all {|t| t.active? or t.deferred?}
   end
-  
+
+  def notes=(value)
+    super(value.gsub(/</, '&lt;').gsub(/>/, '&gt;'))
+  end
+
+  def raw_notes=(value)
+    self[:notes] = value
+  end
+
   # Rich Todo API
   
   def self.from_rich_message(user, default_context_id, description, notes)
@@ -324,7 +332,7 @@ class Todo < ActiveRecord::Base
     
     todo = user.todos.build
     todo.description = description
-    todo.notes = notes
+    todo.raw_notes = notes
     todo.context_id = context_id
     todo.project_id = project_id unless project_id.nil?
     return todo

config/environment.rb

@@ -23,6 +23,7 @@ Rails::Initializer.run do |config|
   config.gem "RedCloth"
   config.gem "soap4r", :lib => false
   config.gem 'datanoise-actionwebservice', :lib => 'actionwebservice'
+  config.gem 'sanitize'
 
   config.action_controller.use_accept_header = true