Add a bunch of fixes to HTML escaping, and a test case for it

[selectricity-live] / app / controllers / quickvote_controller.rb

diff --git a/app/controllers/quickvote_controller.rb b/app/controllers/quickvote_controller.rb
index 5b3acab79f21998d5897e90cc331b71745c37b8c..bb60b4552b029efff74be54bba9282c7599a671f 100644 (file)
--- a/app/controllers/quickvote_controller.rb
+++ b/app/controllers/quickvote_controller.rb
@@ -14,7 +14,7 @@ class QuickvoteController < ApplicationController
       @quickvote = QuickVote.new(params[:quickvote])
       # store the candidate grabbed through ajax and stored in flash
       @quickvote.candidatelist = flash[:candlist]
-      @quickvote.description=CGI.escapeHTML(@quickvote.description)
+      @quickvote.description=@quickvote.description
       # try to save, if it fails, show the page again (the flash should
       # still be intact
       if @quickvote.save
@@ -33,7 +33,7 @@ class QuickvoteController < ApplicationController
   end
 
   def add_candidate
-    candidate_name = CGI.escapeHTML(params[:ajax][:newcandidate])
+    candidate_name = params[:ajax][:newcandidate]
     unless candidate_name.strip.empty?
       if flash.has_key?(:candlist) and flash[:candlist].instance_of?(Array) 
         flash[:candlist] << candidate_name unless flash[:candlist].index(candidate_name)