From e7268fbaa2aa0c99a6e6e4706deafa6e5d47fa2a Mon Sep 17 00:00:00 2001
From: Matt Rogers <mattrogers@sbcglobal.net>
Date: Thu, 2 Feb 2012 22:27:18 -0600
Subject: [PATCH] Remove the double-quote custom validation

Rails has had SQL injection prevention since at least 2009 so we don't
need our version of it anymore.

Fixes ticket #1237
---
 app/models/todo.rb                       | 1 -
 test/functional/todos_controller_test.rb | 3 ++-
 test/unit/todo_test.rb                   | 7 +++++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/app/models/todo.rb b/app/models/todo.rb
index a5bfd8d4..7d5b71d5 100644
--- a/app/models/todo.rb
+++ b/app/models/todo.rb
@@ -129,7 +129,6 @@ class Todo < ActiveRecord::Base
     if !show_from.blank? && show_from < user.date
       errors.add("show_from", I18n.t('models.todo.error_date_must_be_future'))
     end
-    errors.add(:description, "may not contain \" characters") if /\"/.match(self.description)
     unless @predecessor_array.nil? # Only validate predecessors if they changed
       @predecessor_array.each do |todo|
         errors.add("Depends on:", "Adding '#{h(todo.specification)}' would create a circular dependency") if is_successor?(todo)
diff --git a/test/functional/todos_controller_test.rb b/test/functional/todos_controller_test.rb
index e100ac1e..147255b7 100644
--- a/test/functional/todos_controller_test.rb
+++ b/test/functional/todos_controller_test.rb
@@ -220,11 +220,12 @@ class TodosControllerTest < ActionController::TestCase
 
     start_count = Todo.count
     put :create, :_source_view => 'todo', "context_name"=>"library", "project_name"=>"Build a working time machine", "todo"=>{
-      :multiple_todos=>"a\nb"}
+      :multiple_todos=>"a\nb\nmuch \"ado\" about \'nothing\'"}
 
     assert_equal start_count+2, Todo.count, "two todos should have been added"
   end
 
+
   def test_add_multiple_dependent_todos
     login_as(:admin_user)
 
diff --git a/test/unit/todo_test.rb b/test/unit/todo_test.rb
index eb677699..2414a4a8 100644
--- a/test/unit/todo_test.rb
+++ b/test/unit/todo_test.rb
@@ -75,6 +75,13 @@ class TodoTest < ActiveSupport::TestCase
     assert_equal "must be a date in the future", t.errors.on(:show_from)
   end
 
+  def test_validate_description_can_contain_quote
+    t = @not_completed2
+    t[:description] = "much \"ado\" about nothing"
+    assert t.save
+    assert_equal 0, t.errors.count
+  end
+
   def test_defer_an_existing_todo
     @not_completed2
     assert_equal :active, @not_completed2.aasm_current_state