From 8de74939ea51954e04037bd4602fac18668bf4bd Mon Sep 17 00:00:00 2001
From: Eric Allen <ericpallen@gmail.com>
Date: Fri, 2 Apr 2010 12:53:29 -0400
Subject: [PATCH] Kill HTML tags in todo notes

We still want to preserve quotes for textile, but tags of any sort
shouldn't be able to mess up the output.

Fixes #765
---
 app/helpers/application_helper.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 645be1c4..76622c50 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -202,9 +202,11 @@ module ApplicationHelper
   end
 
   def format_note(note)
+    note.gsub!(/</, '&lt;') # eliminate tags
+    note.gsub!(/>/, '&gt;')
+    note = markdown(note)
     note = auto_link_message(note)
     note = auto_link(note)
-    note = markdown(note)
-    note = sanitize(note)
+    return note
   end
 end