0
@@ -20,7 +20,7 @@ class CommentDrop < BaseDrop
0
   end
0
 
0
   def author_link
0
-    @source.author_url.blank? ? "<span>#{CGI::escapeHTML(@source.author)}</span>" : %Q{<a href="#{CGI::escapeHTML author_url}">#{CGI::escapeHTML @source.author}</a>}
0
+    @source.author_url.blank? ? "<span>#{@source.author}</span>" : %Q{<a href="#{author_url}">#{@source.author}</a>}
0
   end
0
   
0
   def presentation_class

0
@@ -7,11 +7,12 @@ class Comment < Content
0
   before_validation :clean_up_author_url
0
   after_validation_on_create  :snag_article_attributes
0
   before_create  :check_comment_expiration
0
+  before_create  :sanitize_attributes
0
   before_save    :update_counter_cache
0
   before_destroy :decrement_counter_cache
0
   belongs_to :article
0
   has_one :event, :dependent => :destroy
0
-  attr_protected :approved
0
+  attr_accessible :article, :article_id, :user_id, :user, :excerpt, :body, :author, :author_url, :author_email, :author_ip, :updater_id, :updater, :comment_age, :user_agent, :referrer
0
 
0
   def self.find_all_by_section(section, options = {})
0
     find :all, options.update(:conditions => ['contents.approved = ? and assigned_sections.section_id = ?', true, section.id], 
0
@@ -67,9 +68,15 @@ class Comment < Content
0
   end
0
 
0
   protected
0
+    def sanitize_attributes
0
+      [:author, :author_url, :author_email, :author_ip, :user_agent, :referrer].each do |a|
0
+        self.send("#{a}=", CGI::escapeHTML(self.send(a).to_s))
0
+      end
0
+    end
0
+
0
     def snag_article_attributes
0
       self.filter ||= article.site.filter
0
-      self.attributes = { :site => article.site, :title => article.title, :published_at => article.published_at, :permalink => article.permalink }
0
+      [:site, :title, :published_at, :permalink].each { |a| self.send("#{a}=", article.send(a)) }
0
     end
0
 
0
     def check_comment_expiration

0
@@ -2,7 +2,7 @@
0
 # migrations feature of ActiveRecord to incrementally modify your database, and
0
 # then regenerate this schema definition.
0
 
0
-ActiveRecord::Schema.define(:version => 70) do
0
+ActiveRecord::Schema.define(:version => 71) do
0
 
0
   create_table "assets", :force => true do |t|
0
     t.column "content_type",     :string

0
@@ -36,6 +36,7 @@ class CommentDropTest < Test::Unit::TestCase
0
     assert_equal %Q{<a href="https://abc">rico</a>}, @comment.author_link
0
     @comment.source.author     = '<strong>rico</strong>'
0
     @comment.source.author_url = '<strong>https://abc</strong>'
0
+    @comment.source.send(:sanitize_attributes)
0
     assert_equal %Q{<a href="http://&lt;strong&gt;https://abc&lt;/strong&gt;">&lt;strong&gt;rico&lt;/strong&gt;</a>}, @comment.author_link
0
   end
0
   

0
@@ -29,7 +29,7 @@ class CommentTest < Test::Unit::TestCase
0
   def test_should_allow_set_filter_on_comment
0
     old_times = contents(:welcome).comments.collect &:updated_at
0
     comment = contents(:welcome).comments.create :body => 'test comment', :author => 'bob', :author_ip => '127.0.0.1', :filter => 'markdown_filter'
0
-    assert_equal 'markdown_filter', comment.filter
0
+    comment.filter = 'markdown_filter'
0
     assert_valid comment
0
     assert_equal old_times, contents(:welcome).comments(true).collect(&:updated_at)
0
   end