From c7b916ab09b7cf3b31f43bf45dbe52fb6abf3b4e Mon Sep 17 00:00:00 2001
From: Victor Costa <vfcosta@gmail.com>
Date: Tue, 23 Dec 2014 10:58:55 -0300
Subject: [PATCH] Sanitize comment title and body

---
 app/views/comment/_comment.html.erb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/views/comment/_comment.html.erb b/app/views/comment/_comment.html.erb
index 4e7aba4..1b02084 100644
--- a/app/views/comment/_comment.html.erb
+++ b/app/views/comment/_comment.html.erb
@@ -38,10 +38,10 @@
       <div class="comment-created-at">
         <%= show_time(comment.created_at) %>
       </div>
-      <h4><%= comment.title.blank? && '&nbsp;' || comment.title %></h4>
+      <h4><%= comment.title.blank? && '&nbsp;' || sanitize(comment.title) %></h4>
       <div class="comment-text">
         <p/>
-        <%= txt2html comment.body %>
+        <%= txt2html sanitize(comment.body) %>
       </div>
       <%= @plugins.dispatch(:comment_extra_contents, local_assigns).collect { |content| instance_exec(&content) }.join("") %>
     </div>
--
libgit2 0.21.2