Merge remote-tracking branch 'openaustralia_github/various_xss_escaping_fixes' into develop

2 files changed, 4 insertions, 3 deletions

diff --git a/app/models/user.rb b/app/models/user.rb
index 617b51c60..e6c666e47 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -354,12 +354,13 @@ class User < ActiveRecord::Base
     end
 
     # Return about me text for display as HTML
+    # TODO: Move this to a view helper
     def get_about_me_for_html_display
         text = self.about_me.strip
         text = CGI.escapeHTML(text)
         text = MySociety::Format.make_clickable(text, :contract => 1)
         text = text.gsub(/\n/, '<br>')
-        return text
+        return text.html_safe
     end
 
     def json_for_api
diff --git a/app/views/public_body/view_email.rhtml b/app/views/public_body/view_email.rhtml
index 50601069f..79d7f7f4c 100644
--- a/app/views/public_body/view_email.rhtml
+++ b/app/views/public_body/view_email.rhtml
@@ -25,9 +25,9 @@
 
 <p>
     <% if @public_body.is_requestable? || @public_body.not_requestable_reason != 'bad_contact' %>
-        <%= _('If the address is wrong, or you know a better address, please <a href="%s">contact us</a>.')% [help_contact_path]%>
+        <%= raw _('If the address is wrong, or you know a better address, please <a href="%s">contact us</a>.')% [help_contact_path]%>
     <% else %>
-       <%= _(' If you know the address to use, then please <a href="%s">send it to us</a>.
+       <%= raw _(' If you know the address to use, then please <a href="%s">send it to us</a>.
         You may be able to find the address on their website, or by phoning them up and asking.')% [help_contact_path] %>
     <% end %>
 </p>