From 963fc12347c3b5dbb1fc40bfd1cb0d0b6ffdb06e Mon Sep 17 00:00:00 2001
From: Victor Costa <vfcosta@gmail.com>
Date: Tue, 3 May 2016 15:29:47 -0300
Subject: [PATCH] html_safe: avoid escape task information string

---
 app/views/profile_editor/_pending_tasks.html.erb | 2 +-
 test/integration/safe_strings_test.rb            | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/app/views/profile_editor/_pending_tasks.html.erb b/app/views/profile_editor/_pending_tasks.html.erb
index 5324a55..cd3ed15 100644
--- a/app/views/profile_editor/_pending_tasks.html.erb
+++ b/app/views/profile_editor/_pending_tasks.html.erb
@@ -4,7 +4,7 @@
   <div class='pending-tasks'>
     <h2><%= _('You have pending requests') %></h2>
     <ul>
-      <%= safe_join(@pending_tasks.map {|task| content_tag('li', task_information(task))}) %>
+      <%= safe_join(@pending_tasks.map {|task| content_tag('li', task_information(task).html_safe)}) %>
     </ul>
     <%= button(:todo, _('Process requests'), :controller => 'tasks', :action => 'index') %>
   </div>
diff --git a/test/integration/safe_strings_test.rb b/test/integration/safe_strings_test.rb
index f9c598d..414e3a2 100644
--- a/test/integration/safe_strings_test.rb
+++ b/test/integration/safe_strings_test.rb
@@ -84,4 +84,12 @@ class SafeStringsTest < ActionDispatch::IntegrationTest
     }
   end
 
+  should 'not escape task information on manage profile' do
+    create_user('marley', :password => 'test', :password_confirmation => 'test').activate
+    person = Person['marley']
+    task = create(Task, :requestor => person, :target => person)
+    login 'marley', 'test'
+    get "/myprofile/marley"
+    assert_select ".pending-tasks ul li a"
+  end
 end
--
libgit2 0.21.2