Avoid double-escaping diary entry titles

The XML builder takes care of the escaping, and adding h() lead to
double-escaped titles in the RSS feed.

diff --git a/app/views/diary_entry/rss.rss.builder b/app/views/diary_entry/rss.rss.builder
index 7adcb3b5245309c17693cabaea040e3170d8f8d7..5e1dee7629b132ba754088d5c3394f4a5ef812aa 100644 (file)
--- a/app/views/diary_entry/rss.rss.builder
+++ b/app/views/diary_entry/rss.rss.builder
@@ -17,7 +17,7 @@ xml.rss("version" => "2.0",
 
     @entries.each do |entry|
       xml.item do
-        xml.title h(entry.title)
+        xml.title entry.title
         xml.link url_for(:action => "view", :id => entry.id, :display_name => entry.user.display_name, :host => SERVER_URL)
         xml.guid url_for(:action => "view", :id => entry.id, :display_name => entry.user.display_name, :host => SERVER_URL)
         xml.description entry.body.to_html

diff --git a/test/controllers/diary_entry_controller_test.rb b/test/controllers/diary_entry_controller_test.rb
index 6e766460ee97770d1e261b0027c57d88f135036b..4a8451e89b2a044edc3e212f8ee529327c61470e 100644 (file)
--- a/test/controllers/diary_entry_controller_test.rb
+++ b/test/controllers/diary_entry_controller_test.rb
@@ -563,6 +563,13 @@ class DiaryEntryControllerTest < ActionController::TestCase
     assert_response :not_found, "Should not be able to get a deleted users diary RSS"
   end
 
+  def test_rss_character_escaping
+    create(:diary_entry, :title => "<script>")
+    get :rss, :format => :rss
+
+    assert_match "<title>&lt;script&gt;</title>", response.body
+  end
+
   def test_view
     # Try a normal entry that should work
     diary_entry = create(:diary_entry, :user => users(:normal_user))