From f30fb2164bd28b162f6f9635918b4350e5579a37 Mon Sep 17 00:00:00 2001
From: Daniela Soares Feitosa <danielafeitosa@colivre.coop.br>
Date: Tue, 25 Aug 2009 11:29:07 -0300
Subject: [PATCH] ActionItem1216: unescaped html comment tags on articles

---
 test/unit/text_article_test.rb                                       | 8 +++++++-
 test/unit/tiny_mce_article_test.rb                                   | 8 ++++++--
 vendor/plugins/white_list_sanitizer_unescape_before_reescape/init.rb | 7 +++++++
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/test/unit/text_article_test.rb b/test/unit/text_article_test.rb
index 7670fac..751e73b 100644
--- a/test/unit/text_article_test.rb
+++ b/test/unit/text_article_test.rb
@@ -19,5 +19,11 @@ class TextArticleTest < Test::Unit::TestCase
     article = TextileArticle.create!(:name => 'found article test', :profile => person)
     assert_equal TextileArticle.find_by_contents('found'), TextArticle.find_by_contents('found')
   end
-  
+
+  should 'remove comments from TextArticle body' do
+    person = create_user('testuser').person
+    article = TextArticle.create!(:profile => person, :name => 'article', :body => "the <!-- comment --> article ...")
+    assert_equal "the  article ...", article.body
+  end
+
 end
diff --git a/test/unit/tiny_mce_article_test.rb b/test/unit/tiny_mce_article_test.rb
index 75265f2..8c39f63 100644
--- a/test/unit/tiny_mce_article_test.rb
+++ b/test/unit/tiny_mce_article_test.rb
@@ -35,8 +35,12 @@ class TinyMceArticleTest < Test::Unit::TestCase
   should 'not translate & to amp; over times' do
     article = TinyMceArticle.create!(:name => 'link', :body => "<a href='www.invalid.com?param1=value&param2=value'>link</a>", :profile => profile)
     assert article.save
-    assert_no_match /&amp;amp;/, article.body
-    assert_match /&amp;/, article.body
+    assert_no_match(/&amp;amp;/, article.body)
+    assert_match(/&amp;/, article.body)
   end
 
+  should 'not escape comments from tiny mce article body' do
+    article = TinyMceArticle.create!(:profile => profile, :name => 'article', :abstract => 'abstract', :body => "the <!-- comment --> article ...")
+    assert_equal "the <!-- comment --> article ...", article.body
+  end
 end
diff --git a/vendor/plugins/white_list_sanitizer_unescape_before_reescape/init.rb b/vendor/plugins/white_list_sanitizer_unescape_before_reescape/init.rb
index af24e18..afd00ba 100644
--- a/vendor/plugins/white_list_sanitizer_unescape_before_reescape/init.rb
+++ b/vendor/plugins/white_list_sanitizer_unescape_before_reescape/init.rb
@@ -4,6 +4,13 @@
 # this was solved in rails 2.2.1, then remove this patch when upgrade to it
 
 HTML::WhiteListSanitizer.module_eval do
+  
+  def sanitize_with_filter_comments(*args, &block)
+    text = sanitize_without_filter_comments(*args, &block)
+    text.gsub(/&lt;!--/, '<!--') if text
+  end
+  alias_method_chain :sanitize, :filter_comments
+
   # unescape before reescape to avoid:
   # & -> &amp; -> &amp;amp; -> &amp;amp;amp; -> &amp;amp;amp;amp; -> etc
   protected
--
libgit2 0.21.2