1 files changed, 13 insertions, 10 deletions

diff --git a/app/models/user.rb b/app/models/user.rb
index 6e1e21481..e6c666e47 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -50,6 +50,8 @@ class User < ActiveRecord::Base
         'super',
     ], :message => N_('Admin level is not included in list')
 
+    validate :email_and_name_are_valid
+
     acts_as_xapian :texts => [ :name, :about_me ],
         :values => [
              [ :created_at_numeric, 1, "created_at", :number ] # for sorting
@@ -108,15 +110,6 @@ class User < ActiveRecord::Base
         self.comments.find(:all, :conditions => 'visible')
     end
 
-    def validate
-        if self.email != "" && !MySociety::Validate.is_valid_email(self.email)
-            errors.add(:email, _("Please enter a valid email address"))
-        end
-        if MySociety::Validate.is_valid_email(self.name)
-            errors.add(:name, _("Please enter your name, not your email address, in the name field."))
-        end
-    end
-
     # Don't display any leading/trailing spaces
     # XXX we have strip_attributes! now, so perhaps this can be removed (might
     # be still needed for existing cases)
@@ -361,12 +354,13 @@ class User < ActiveRecord::Base
     end
 
     # Return about me text for display as HTML
+    # TODO: Move this to a view helper
     def get_about_me_for_html_display
         text = self.about_me.strip
         text = CGI.escapeHTML(text)
         text = MySociety::Format.make_clickable(text, :contract => 1)
         text = text.gsub(/\n/, '<br>')
-        return text
+        return text.html_safe
     end
 
     def json_for_api
@@ -413,6 +407,15 @@ class User < ActiveRecord::Base
         self.salt = self.object_id.to_s + rand.to_s
     end
 
+    def email_and_name_are_valid
+        if self.email != "" && !MySociety::Validate.is_valid_email(self.email)
+            errors.add(:email, _("Please enter a valid email address"))
+        end
+        if MySociety::Validate.is_valid_email(self.name)
+            errors.add(:name, _("Please enter your name, not your email address, in the name field."))
+        end
+    end
+
     ## Class methods
     def User.encrypted_password(password, salt)
         string_to_hash = password + salt # XXX need to add a secret here too?