7 files changed, 12 insertions, 9 deletions

diff --git a/app/models/comment.rb b/app/models/comment.rb
index 5507910e2..bcd1efca8 100644
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -68,7 +68,7 @@ class Comment < ActiveRecord::Base
         text = CGI.escapeHTML(text)
         text = MySociety::Format.make_clickable(text, :contract => 1)
         text = text.gsub(/\n/, '<br>')
-        return text
+        return text.html_safe
     end
 
     # When posting a new comment, use this to check user hasn't double submitted.
diff --git a/app/models/foi_attachment.rb b/app/models/foi_attachment.rb
index 2f8a9ab04..723bc4abb 100644
--- a/app/models/foi_attachment.rb
+++ b/app/models/foi_attachment.rb
@@ -219,7 +219,7 @@ class FoiAttachment < ActiveRecord::Base
 
 
     def ensure_filename!
-        if self.filename.nil?
+        if self.filename.blank?
             calc_ext = AlaveteliFileTypes.mimetype_to_extension(self.content_type)
             if !calc_ext
                 calc_ext = "bin"
diff --git a/app/models/incoming_message.rb b/app/models/incoming_message.rb
index a02d2456a..3f551f420 100644
--- a/app/models/incoming_message.rb
+++ b/app/models/incoming_message.rb
@@ -284,6 +284,7 @@ class IncomingMessage < ActiveRecord::Base
     # Lotus notes quoting yeuch!
     def remove_lotus_quoting(text, replacement = "FOLDED_QUOTED_SECTION")
         text = text.dup
+        return text if self.info_request.user_name.nil?
         name = Regexp.escape(self.info_request.user_name)
 
         # To end of message sections
@@ -694,7 +695,7 @@ class IncomingMessage < ActiveRecord::Base
 
         text = text.gsub(/\n/, '<br>')
         text = text.gsub(/(?:<br>\s*){2,}/, '<br><br>') # remove excess linebreaks that unnecessarily space it out
-        return text
+        return text.html_safe
     end
 
 
diff --git a/app/models/info_request.rb b/app/models/info_request.rb
index 3355b9443..cee9eb959 100644
--- a/app/models/info_request.rb
+++ b/app/models/info_request.rb
@@ -284,9 +284,9 @@ public
         # into some sort of separate jurisdiction dependent file
         if self.public_body.url_name == 'general_register_office'
             # without GQ in the subject, you just get an auto response
-            _('{{law_used_full}} request GQ - {{title}}',:law_used_full=>self.law_used_full,:title=>self.title)
+            _('{{law_used_full}} request GQ - {{title}}',:law_used_full=>self.law_used_full,:title=>self.title.html_safe)
         else
-            _('{{law_used_full}} request - {{title}}',:law_used_full=>self.law_used_full,:title=>self.title)
+            _('{{law_used_full}} request - {{title}}',:law_used_full=>self.law_used_full,:title=>self.title.html_safe)
         end
     end
     def email_subject_followup(incoming_message = nil)
diff --git a/app/models/outgoing_message.rb b/app/models/outgoing_message.rb
index 2e98e1021..441813e5f 100644
--- a/app/models/outgoing_message.rb
+++ b/app/models/outgoing_message.rb
@@ -252,7 +252,7 @@ class OutgoingMessage < ActiveRecord::Base
         text = MySociety::Format.make_clickable(text, :contract => 1)
         text.gsub!(/\[(email address|mobile number)\]/, '[<a href="/help/officers#mobiles">\1</a>]')
         text = text.gsub(/\n/, '<br>')
-        return text
+        return text.html_safe
     end
 
     def fully_destroy
diff --git a/app/models/public_body.rb b/app/models/public_body.rb
index 57fe27767..f71520ee6 100644
--- a/app/models/public_body.rb
+++ b/app/models/public_body.rb
@@ -301,7 +301,7 @@ class PublicBody < ActiveRecord::Base
                 ret = ret + " and "
             end
             ret = ret + types[-1]
-            return ret
+            return ret.html_safe
         else
             return _("A public authority")
         end
@@ -520,6 +520,8 @@ class PublicBody < ActiveRecord::Base
                     'Version',
             ]
             public_bodies.each do |public_body|
+                # Skip bodies we use only for site admin
+                next if public_body.has_tag?('site_administration')
                 csv << [
                     public_body.name,
                     public_body.short_name,
diff --git a/app/models/track_thing.rb b/app/models/track_thing.rb
index 2a61eb858..81800f0ae 100644
--- a/app/models/track_thing.rb
+++ b/app/models/track_thing.rb
@@ -203,7 +203,7 @@ class TrackThing < ActiveRecord::Base
                     :verb_on_page => _("Follow this request"),
                     :verb_on_page_already => _("You are already following this request"),
                     # Email
-                    :title_in_email => _("New updates for the request '{{request_title}}'", :request_title => self.info_request.title),
+                    :title_in_email => _("New updates for the request '{{request_title}}'", :request_title => self.info_request.title.html_safe),
                                          :title_in_rss => _("New updates for the request '{{request_title}}'", :request_title => self.info_request.title),
                     # Authentication
                     :web => _("To follow the request '{{request_title}}'", :request_title => CGI.escapeHTML(self.info_request.title)),
@@ -270,7 +270,7 @@ class TrackThing < ActiveRecord::Base
                     :verb_on_page => _("Follow this person"),
                     :verb_on_page_already => _("You are already following this person"),
                     # Email
-                    :title_in_email => _("FOI requests by '{{user_name}}'", :user_name=>self.tracked_user.name),
+                    :title_in_email => _("FOI requests by '{{user_name}}'", :user_name=>self.tracked_user.name.html_safe),
                     :title_in_rss => _("FOI requests by '{{user_name}}'", :user_name=>self.tracked_user.name),
                     # Authentication
                     :web => _("To follow requests by '{{user_name}}'", :user_name=>CGI.escapeHTML(self.tracked_user.name)),