Merge remote-tracking branch 'openaustralia_github/yet_more_assorted_escaping_fixes' into develop

17 files changed, 22 insertions, 22 deletions

diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb
index ed8de7755..15d66aa0d 100644
--- a/app/controllers/admin_request_controller.rb
+++ b/app/controllers/admin_request_controller.rb
@@ -304,7 +304,7 @@ class AdminRequestController < AdminController
         post_redirect.save!
         url = main_url(confirm_url(:email_token => post_redirect.email_token, :only_path => true))
 
-        flash[:notice] = 'Send "' + name + '" &lt;<a href="mailto:' + email + '">' + email + '</a>&gt; this URL: <a href="' + url + '">' + url + "</a> - it will log them in and let them upload a response to this request.".html_safe
+        flash[:notice] = ("Send \"#{name}\" &lt;<a href=\"mailto:#{email}\">#{email}</a>&gt; this URL: <a href=\"#{url}\">#{url}</a> - it will log them in and let them upload a response to this request.").html_safe
         redirect_to request_admin_url(info_request)
     end
 
diff --git a/app/models/request_mailer.rb b/app/models/request_mailer.rb
index dc2c5fe21..1b51b9479 100644
--- a/app/models/request_mailer.rb
+++ b/app/models/request_mailer.rb
@@ -87,7 +87,7 @@ class RequestMailer < ApplicationMailer
                 'Auto-Submitted' => 'auto-generated', # http://tools.ietf.org/html/rfc3834
                 'X-Auto-Response-Suppress' => 'OOF'
         @recipients = info_request.user.name_and_email
-        @subject = _("New response to your FOI request - ") + info_request.title
+        @subject = (_("New response to your FOI request - ") + info_request.title).html_safe
         @body = { :incoming_message => incoming_message, :info_request => info_request, :url => url }
     end
 
diff --git a/app/views/contact_mailer/from_admin_message.rhtml b/app/views/contact_mailer/from_admin_message.rhtml
index 43938e0dd..4169d8d3a 100644
--- a/app/views/contact_mailer/from_admin_message.rhtml
+++ b/app/views/contact_mailer/from_admin_message.rhtml
@@ -1,2 +1,2 @@
-<%= @message %>
+<%= raw @message %>
 
diff --git a/app/views/contact_mailer/to_admin_message.rhtml b/app/views/contact_mailer/to_admin_message.rhtml
index 9c0a74c02..8c56779fd 100644
--- a/app/views/contact_mailer/to_admin_message.rhtml
+++ b/app/views/contact_mailer/to_admin_message.rhtml
@@ -1,4 +1,4 @@
-<%= @message.strip %>
+<%= raw @message.strip %>
 
 ---------------------------------------------------------------------
 <%= _('Message sent using {{site_name}} contact form, ', :site_name=>site_name)%>
diff --git a/app/views/contact_mailer/user_message.rhtml b/app/views/contact_mailer/user_message.rhtml
index b1d6e81ae..afa1494db 100644
--- a/app/views/contact_mailer/user_message.rhtml
+++ b/app/views/contact_mailer/user_message.rhtml
@@ -5,7 +5,7 @@
 learn your email address. Only reply if that is okay.', :user_name => @from_user.name) %>
 ---------------------------------------------------------------------
 
-<%= @message.strip %>
+<%= raw @message.strip %>
 
 ---------------------------------------------------------------------
 <%= _('View Freedom of Information requests made by {{user_name}}:', :user_name=>@from_user.name)%> 
diff --git a/app/views/outgoing_mailer/followup.rhtml b/app/views/outgoing_mailer/followup.rhtml
index 7050a295b..049ebc881 100644
--- a/app/views/outgoing_mailer/followup.rhtml
+++ b/app/views/outgoing_mailer/followup.rhtml
@@ -1,6 +1,6 @@
-<%= @outgoing_message.body.strip %>
+<%= raw @outgoing_message.body.strip %>
 
-<%= @outgoing_message.quoted_part_to_append_to_email.strip %>
+<%= raw @outgoing_message.quoted_part_to_append_to_email.strip %>
 
 -------------------------------------------------------------------
 <%= _('Please use this email address for all replies to this request:')%>
diff --git a/app/views/outgoing_mailer/initial_request.rhtml b/app/views/outgoing_mailer/initial_request.rhtml
index d537a20bc..5c418ecc7 100644
--- a/app/views/outgoing_mailer/initial_request.rhtml
+++ b/app/views/outgoing_mailer/initial_request.rhtml
@@ -1,4 +1,4 @@
-<%= @outgoing_message.body.strip %>
+<%= raw @outgoing_message.body.strip %>
 
 -------------------------------------------------------------------
 
diff --git a/app/views/request_mailer/external_response.rhtml b/app/views/request_mailer/external_response.rhtml
index e9858f03f..896054a43 100644
--- a/app/views/request_mailer/external_response.rhtml
+++ b/app/views/request_mailer/external_response.rhtml
@@ -1 +1 @@
-<%=@body%>
+<%= raw @body %>
diff --git a/app/views/request_mailer/fake_response.rhtml b/app/views/request_mailer/fake_response.rhtml
index e9858f03f..896054a43 100644
--- a/app/views/request_mailer/fake_response.rhtml
+++ b/app/views/request_mailer/fake_response.rhtml
@@ -1 +1 @@
-<%=@body%>
+<%= raw @body %>
diff --git a/app/views/request_mailer/new_response.rhtml b/app/views/request_mailer/new_response.rhtml
index 083f873b4..672212f20 100644
--- a/app/views/request_mailer/new_response.rhtml
+++ b/app/views/request_mailer/new_response.rhtml
@@ -1,6 +1,6 @@
 <%= _('You have a new response to the {{law_used_full}} request ',:law_used_full=>@info_request.law_used_full)%>
-'<%= @info_request.title %>' <%=_('that you made to')%> 
-<%= @info_request.public_body.name %>. 
+'<%= raw @info_request.title %>' <%=_('that you made to')%> 
+<%= raw @info_request.public_body.name %>. 
 
 <%= _('To view the response, click on the link below.')%>
 
diff --git a/app/views/request_mailer/new_response_reminder_alert.rhtml b/app/views/request_mailer/new_response_reminder_alert.rhtml
index 86fc71de7..c196dafe6 100644
--- a/app/views/request_mailer/new_response_reminder_alert.rhtml
+++ b/app/views/request_mailer/new_response_reminder_alert.rhtml
@@ -3,7 +3,7 @@
 <%=@url%>
 
 <%= _('Your request was called {{info_request}}. Letting everyone know whether you got the information will help us keep tabs on',:info_request=>@info_request.title)%>
-<%= @info_request.public_body.name %>.
+<%= raw @info_request.public_body.name %>.
 
 -- <%= _('the {{site_name}} team', :site_name=>site_name) %>
 
diff --git a/app/views/request_mailer/overdue_alert.rhtml b/app/views/request_mailer/overdue_alert.rhtml
index b8a9ba525..249bf6bb8 100644
--- a/app/views/request_mailer/overdue_alert.rhtml
+++ b/app/views/request_mailer/overdue_alert.rhtml
@@ -1,4 +1,4 @@
-<%= @info_request.public_body.name %> <%= _('have delayed.')%>
+<%= raw @info_request.public_body.name %> <%= _('have delayed.')%>
 
 <%= _('They have not replied to your {{law_used_short}} request {{title}} promptly, as normally required by law',:law_used_short=>@info_request.law_used_short,:title=>@info_request.title)%><% if @info_request.public_body.is_school? %> <%=_('during term time')%> <% end %>.
 
diff --git a/app/views/request_mailer/requires_admin.rhtml b/app/views/request_mailer/requires_admin.rhtml
index 06a798792..e7ab53c59 100644
--- a/app/views/request_mailer/requires_admin.rhtml
+++ b/app/views/request_mailer/requires_admin.rhtml
@@ -1,9 +1,9 @@
 ---------------------------------------------------------------------
-<%=@reported_by.name%> <%= _('has reported an')%> <%=@info_request.law_used_short%>
+<%= raw @reported_by.name %> <%= _('has reported an')%> <%= raw @info_request.law_used_short %>
 <%= _('response as needing administrator attention. Take a look, and reply to this
 email to let them know what you are going to do about it.')%>
 
-Request '<%=@info_request.title%>':
+Request '<%= raw @info_request.title %>':
 <%= @url %>
 
 <%= _('Administration URL:') %> 
diff --git a/app/views/request_mailer/very_overdue_alert.rhtml b/app/views/request_mailer/very_overdue_alert.rhtml
index 6abd198a0..80597473c 100644
--- a/app/views/request_mailer/very_overdue_alert.rhtml
+++ b/app/views/request_mailer/very_overdue_alert.rhtml
@@ -1,4 +1,4 @@
-<%= @info_request.public_body.name %> <%= _('are long overdue.')%>
+<%= raw @info_request.public_body.name %> <%= _('are long overdue.')%>
 
 <%= _('They have not replied to your {{law_used_short}} request {{title}}, 
 as required by law',:law_used_short=>@info_request.law_used_short,:title=>@info_request.title)%><% if @info_request.public_body.is_school? %> <%= _('even during holidays')%><% end %>.
diff --git a/app/views/user_mailer/already_registered.rhtml b/app/views/user_mailer/already_registered.rhtml
index 59ffcbf94..32c2c7e63 100644
--- a/app/views/user_mailer/already_registered.rhtml
+++ b/app/views/user_mailer/already_registered.rhtml
@@ -1,10 +1,10 @@
-<%= @name %>,
+<%= raw @name %>,
 
 <%= _('You just tried to sign up to {{site_name}}, when you
 already have an account. Your name and password have been
 left as they previously were.
 
-Please click on the link below.', :site_name=>site_name)%> <%=@reasons[:email]%> 
+Please click on the link below.', :site_name=>site_name)%> <%=raw @reasons[:email] %> 
 
 <%=@url%>
 
diff --git a/app/views/user_mailer/changeemail_confirm.rhtml b/app/views/user_mailer/changeemail_confirm.rhtml
index ffb9737f7..c73e9486b 100644
--- a/app/views/user_mailer/changeemail_confirm.rhtml
+++ b/app/views/user_mailer/changeemail_confirm.rhtml
@@ -1,4 +1,4 @@
-<%= @name %>,
+<%= raw @name %>,
 
 <%= _('Please click on the link below to confirm that you want to 
 change the email address that you use for {{site_name}}
diff --git a/app/views/user_mailer/confirm_login.rhtml b/app/views/user_mailer/confirm_login.rhtml
index 6f4feff00..fa86dc2b1 100644
--- a/app/views/user_mailer/confirm_login.rhtml
+++ b/app/views/user_mailer/confirm_login.rhtml
@@ -1,7 +1,7 @@
-<%= @name %>,
+<%= raw @name %>,
 
 <%= _('Please click on the link below to confirm your email address.')%>
-<%=@reasons[:email]%> 
+<%= raw @reasons[:email] %> 
 
 <%=@url%>