From 40f1732234d62fb4bf6d130da6bfa2e8c92fd241 Mon Sep 17 00:00:00 2001
From: Hans de Graaff <hans@degraaff.org>
Date: Fri, 2 Jan 2009 13:51:49 +0100
Subject: [PATCH 1/4] Don't run double sanitation on a string.

This messes up legitimate markup returned by sanitize, such as &lt; when
a description contains '<'.
---
 app/views/todos/_todo.html.erb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/views/todos/_todo.html.erb b/app/views/todos/_todo.html.erb
index 231eaf97..1c317c3f 100644
--- a/app/views/todos/_todo.html.erb
+++ b/app/views/todos/_todo.html.erb
@@ -13,7 +13,7 @@
     <div class="description<%= staleness_class( todo ) %>">
       <% unless @todo.completed? %><span class="defer-container"><%= defer_link(1) %> <%= defer_link(7) %></span><% end %>
       <%= date_span -%>
-      <span class="todo.descr"><%= h sanitize(todo.description) %></span>
+      <span class="todo.descr"><%= sanitize(todo.description) %></span>
       <%= link_to(
         image_tag("recurring16x16.png"),
         {:controller => "recurring_todos", :action => "index"},
@@ -31,4 +31,4 @@
     <% end -%>
   </div>
 </div>
-<%=  apply_behaviour ".date_clear:click","var selector_x = this.getAttribute('id').replace('_x', ''); $(selector_x).value='';" %>
\ No newline at end of file
+<%=  apply_behaviour ".date_clear:click","var selector_x = this.getAttribute('id').replace('_x', ''); $(selector_x).value='';" %>

From 5cd65d0566b7d05c796baee16d4fb32f23b2a0a1 Mon Sep 17 00:00:00 2001
From: Hans de Graaff <hans@degraaff.org>
Date: Fri, 2 Jan 2009 13:51:49 +0100
Subject: [PATCH 2/4] Don't run double sanitation on a string.

This messes up legitimate markup returned by sanitize, such as &lt; when
a description contains '<'.
---
 app/views/todos/_todo.html.erb | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/views/todos/_todo.html.erb b/app/views/todos/_todo.html.erb
index 2de2c5c5..ea72735b 100644
--- a/app/views/todos/_todo.html.erb
+++ b/app/views/todos/_todo.html.erb
@@ -23,7 +23,7 @@ parameters += "&_tag_name=#{@tag_name}" if @source_view == 'tag'
     </ul></ul>
     <div class="description<%= staleness_class( todo ) %>">
       <%= date_span -%>
-      <span class="todo.descr"><%= h sanitize(todo.description) %></span>
+      <span class="todo.descr"><%= sanitize(todo.description) %></span>
       <%= image_tag_for_recurring_todo(todo) if @todo.from_recurring_todo? %>
       <%= tag_list %>
       <%= deferred_due_date %>
@@ -37,4 +37,9 @@ parameters += "&_tag_name=#{@tag_name}" if @source_view == 'tag'
       <div class="placeholder"> </div>
     <% end -%>
   </div>
-</div>
\ No newline at end of file
+<<<<<<< HEAD:app/views/todos/_todo.html.erb
+</div>
+=======
+</div>
+<%=  apply_behaviour ".date_clear:click","var selector_x = this.getAttribute('id').replace('_x', ''); $(selector_x).value='';" %>
+>>>>>>> Don't run double sanitation on a string.:app/views/todos/_todo.html.erb

From 57d2187aa885c18420acd8102f878c58e569fbdd Mon Sep 17 00:00:00 2001
From: Hans de Graaff <hans@degraaff.org>
Date: Sun, 6 Dec 2009 09:45:22 +0100
Subject: [PATCH 3/4] Fix broken merge.

---
 app/views/todos/_todo.html.erb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/views/todos/_todo.html.erb b/app/views/todos/_todo.html.erb
index bb40beff..85ee76e7 100644
--- a/app/views/todos/_todo.html.erb
+++ b/app/views/todos/_todo.html.erb
@@ -45,4 +45,3 @@ parameters += "&_tag_name=#{@tag_name}" if @source_view == 'tag'
     <% end -%>
   </div>
 </div>
-<%=  apply_behaviour ".date_clear:click","var selector_x = this.getAttribute('id').replace('_x', ''); $(selector_x).value='';" %>

From 3e2a4e4846b4e653c94be2fe455cfc5dc4a926c0 Mon Sep 17 00:00:00 2001
From: Hans de Graaff <hans@degraaff.org>
Date: Sun, 19 Aug 2012 08:53:19 +0200
Subject: [PATCH 4/4] Fix html escaping.

---
 app/views/users/index.html.erb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/views/users/index.html.erb b/app/views/users/index.html.erb
index 17f116df..fc60a6f2 100644
--- a/app/views/users/index.html.erb
+++ b/app/views/users/index.html.erb
@@ -1,6 +1,6 @@
 <h1><%= t('users.manage_users') %></h1>
 
-<p><%= t('users.total_users_count', :count => "<span id=\"user_count\">#{@total_users}</span>") %></p>
+<p><%= t('users.total_users_count', :count => "<span id=\"user_count\">#{@total_users}</span>").html_safe %></p>
 
 <table class="users_table"> 
   <tr> 
@@ -24,7 +24,7 @@
       <td><%= h user.contexts.size %></td>
       <td><%= h user.projects.size %></td>
       <td><%= h user.notes.size %></td>
-      <td><%= !user.is_admin? ? remote_delete_user(user) : "&nbsp;" %></td>
+      <td><%= !user.is_admin? ? remote_delete_user(user) : "&nbsp;".html_safe %></td>
     </tr>
   <% end %>
 </table>
@@ -32,4 +32,4 @@
   <%= will_paginate @users %>
 </p>
 
-<p><%= link_to t('users.signup_new_user'), signup_path %></p>
\ No newline at end of file
+<p><%= link_to t('users.signup_new_user'), signup_path %></p>